Shohreh Hosseinzadeh Security and Trust in Cloud Computing and IoT through Applying Obfuscation, Diversification, and Trusted Computing Technologies Turku Centre for Computer Science TUCS Dissertations No 258, November 2020 Security and Trust in Cloud Computing and IoT through Applying Obfuscation, Diversification, and Trusted Computing Technologies Shohreh Hosseinzadeh To be presented, with the permission of the Faculty of Science and Engineering of the University of Turku, for public criticism in lecture hall XXII of Agora on November 28th, 2020, at 12 noon. University of Turku Department of Future Technologies 20014 Turun Yliopisto Finland 2020 Supervisors Professor Ville Lepp¨anen Department of Future Technologies University of Turku Finland Associate Professor Seppo Virtanen Department of Future Technologies University of Turku Finland Reviewers Professor Benoit Baudry Division of Software and Computer System KTH Royal Institute of Technology Lindstedtsv¨agen3, Stockholm Sweden Adjunct Professor Martin Gilje Jaatun Department of Electrical University of Stavanger Kjell Arholms gate 41, 4036 Stavanger Norway Opponent Professor Valtteri Niemi Department of Computer Science University of Helsinki Pietari Kalmin katu 5, 00014 Helsinki Finland The originality of this thesis has been checked in accordance with the University of Turku quality assurance system using the Turnitin Originality Check service. ISBN 978-952-12-3992-2 ISSN 1239-1883 Abstract Cloud computing and Internet of Things (IoT) are very widely spread and commonly used technologies nowadays. The advanced services offered by cloud computing have made it a highly demanded technology. Enterprises and businesses are more and more relying on the cloud to deliver services to their customers. The prevalent use of cloud means that more data is stored outside the organization's premises, which raises con- cerns about the security and privacy of the stored and processed data. This highlights the significance of effective security practices to secure the cloud infrastructure. The number of IoT devices is growing rapidly and the technology is being employed in a wide range of sectors including smart healthcare, industry automation, and smart environments. These devices collect and exchange a great deal of information, some of which may contain critical and personal data of the users of the device. Hence, it is highly significant to protect the collected and shared data over the network; notwithstanding, the studies signify that attacks on these devices are increasing, while a high percentage of IoT devices lack proper security measures to protect the devices, the data, and the privacy of the users. In this dissertation, we study the security of cloud computing and IoT and propose software-based security approaches supported by the hardware- based technologies to provide robust measures for enhancing the security of these environments. To achieve this goal, we use obfuscation and diversifica- tion as the potential software security techniques. Code obfuscation protects the software from malicious reverse engineering and diversification mitigates the risk of large-scale exploits. We study trusted computing and Trusted Execution Environments (TEE) as the hardware-based security solutions. Trusted Platform Module (TPM) provides security and trust through a hardware root of trust, and assures the integrity of a platform. We also study Intel SGX which is a TEE solution that guarantees the integrity and confidentiality of the code and data loaded onto its protected container, enclave. More precisely, through obfuscation and diversification of the operating systems and APIs of the IoT devices, we secure them at the application level, i and by obfuscation and diversification of the communication protocols, we protect the communication of data between them at the network level. For securing the cloud computing, we employ obfuscation and diversification techniques for securing the cloud computing software at the client-side. For an enhanced level of security, we employ hardware-based security solutions, TPM and SGX. These solutions, in addition to security, ensure layered trust in various layers from hardware to the application. As the result of this PhD research, this dissertation addresses a number of security risks targeting IoT and cloud computing through the delivered publications and presents a brief outlook on the future research directions. ii Tiivistelm¨a Pilvilaskenta ja esineiden internet ovat nyky¨a¨anhyvin tavallisia ja laajasti sovellettuja tekniikkoja. Pilvilaskennan pitk¨allekehittyneet palvelut ovat tehneet siit¨ahyvin kysytyn teknologian. Yritykset enenev¨ass¨am¨a¨arinnojaa- vat pilviteknologiaan toteuttaessaan palveluita asiakkailleen. Vallitsevassa pilviteknologian soveltamistilanteessa yritykset ulkoistavat tietojensa k¨asitte- ly¨ayrityksen ulkopuolelle, mink¨avoidaan n¨ahd¨anostavan esiin huolia tal- tioitavan ja k¨asitelt¨av¨antiedon turvallisuudesta ja yksityisyydest¨a. T¨am¨a korostaa tehokkaiden turvallisuusratkaisujen merkityst¨aosana pilvi-infra- struktuurin turvaamista. Esineiden internet -laitteiden lukum¨a¨ar¨aon nopeasti kasvanut. Teknolo- giana sit¨asovelletaan laajasti monilla sektoreilla, kuten ¨alykk¨a¨ass¨atervey- denhuollossa, teollisuusautomaatiossa ja ¨alytiloissa.Sellaiset laitteet ker¨a¨a- v¨atja v¨alitt¨av¨atsuuria m¨a¨ari¨ainformaatiota, joka voi sis¨alt¨a¨alaitteiden k¨aytt¨ajienkannalta kriittist¨aja yksityist¨atietoa. T¨ast¨asyyst¨ajohtuen on eritt¨ainmerkityksellist¨asuojata verkon yli ker¨att¨av¨a¨aja jaettavaa tietoa. Monet tutkimukset osoittavat esineiden internet -laitteisiin kohdistuvien tie- toturvahy¨okk¨aysten m¨a¨ar¨anolevan nousussa, ja samaan aikaan suuri osuus n¨aist¨alaitteista ei omaa kunnollisia teknisi¨aominaisuuksia itse laitteiden tai niiden k¨aytt¨ajienyksityisen tiedon suojaamiseksi. T¨ass¨av¨ait¨oskirjassatutkitaan pilvilaskennan sek¨aesineiden internetin tietoturvaa ja esitet¨a¨anohjelmistopohjaisia tietoturval¨ahestymistapoja tur- vautumalla osittain laitteistopohjaisiin teknologioihin. Esitetyt l¨ahestymista- vat tarjoavat vankkoja keinoja tietoturvallisuuden kohentamiseksi n¨aiss¨a konteksteissa. T¨am¨ansaavuttamiseksi ty¨oss¨asovelletaan obfuskaatiota ja diversifiointia potentiaalisiana ohjelmistopohjaisina tietoturvatekniikkoina. Suoritettavan koodin obfuskointi suojaa pahantahtoiselta ohjelmiston takai- sinmallinnukselta ja diversifiointi torjuu tietoturva-aukkojen laaja-alaisen hy¨odynt¨amisenriski¨a. V¨ait¨oskirjaty¨oss¨atutkitaan luotettua laskentaa ja luotettavan laskennan suoritusalustoja laitteistopohjaisina tietoturvaratkai- suina. TPM (Trusted Platform Module) tarjoaa turvallisuutta ja luottamuk- sellisuutta rakentuen laitteistopohjaiseen luottamukseen. Pyrkimyksen¨aon taata suoritusalustan eheys. Ty¨oss¨atutkitaan my¨osIntel SGX:¨a¨ayhten¨a luotettavan suorituksen suoritusalustana, joka takaa suoritettavan koodin iii ja datan eheyden sek¨aluottamuksellisuuden pohjautuen suojatun s¨aili¨on, saarekkeen, tekniseen toteutukseen. Tarkemmin ilmaistuna ty¨oss¨aturvataan k¨aytt¨oj¨arjestelm¨a-ja sovellus- rajapintatasojen obfuskaation ja diversifioinnin kautta esineiden internet - laitteiden ohjelmistokerrosta. Soveltamalla samoja tekniikoita protokolla- kerrokseen, ty¨oss¨asuojataan laitteiden v¨alist¨atiedonvaihtoa verkkotasolla. Pilvilaskennan turvaamiseksi ty¨oss¨asovelletaan obfuskaatio- ja diversifioin- titekniikoita asiakaspuolen ohjelmistoratkaisuihin. Vankemman tietoturval- lisuuden saavuttamiseksi ty¨oss¨ahy¨odynnet¨a¨anlaitteistopohjaisia TPM- ja SGX-ratkaisuja. Tietoturvallisuuden lis¨aksin¨am¨aratkaisut tarjoavat moni- kerroksisen luottamuksen rakentuen laitteistotasolta ohjelmistokerrokseen asti. T¨am¨anv¨ait¨oskirjatutkimusty¨ontuloksena, osajulkaisuiden kautta, vas- tataan moniin esineiden internet -laitteisiin ja pilvilaskentaan kohdistuviin tietoturvauhkiin. Ty¨oss¨aesitet¨a¨anmy¨osn¨akemyksi¨ajatkotutkimusaiheista. iv Acknowledgments Undertaking this PhD has truly been a life-changing experience to me, and marks a milestone on my personal and professional life. Reaching this mile- stone would not have been possible without the guidance and support of many people. First and foremost, I would like to express my sincerest gratitude towards my supervisor, Professor Ville Lepp¨anenwho gave me the opportunity to conduct my research in his research group. I am grateful for all the sup- ports, encouragements, and inspiration throughout the whole journey. The freedom to choose topic of my interest, the smoothness and flexibility he was offering to the group, made it a joyful place to work for me. I greatly appreciate the support I received from Associate Professor Seppo Virtanen in the final stage of my PhD with his advice and com- ments that greatly improved my thesis. I would also like to thank Professor Jouni Isoaho for his support and directing my thesis. I wish to especially thank Professor Benoit Baudry and Adjunct Pro- fessor Martin Gilje Jaatun who kindly reviewed my thesis, and provided fruitful comments and insights. I am as well greatly grateful to Professor Valtteri Niemi, for accepting to act as my opponent. I would like to warmly express my appreciation towards Professor Asokan for giving me the opportunity of a research visit at the Secure Systems Group in Aalto University. This has been a great chance for my thesis and for me to expand my knowledge, and my professional network. I also would like to thank Dr. Andrew Paverd and Dr. Hans Liljestrand for the very fruitful collaboration we had during