Secure Internet of Things Project Overview Monday, October 26, 2015 Rethinking a Secure Internet of Things http://iot.stanford.edu The Internet will soon connect us to the physical world through personal health monitors, proximity networks, smart homes, smart cars, and automation networks. These new networks provide tremendous opportunity, but also bring tremendous risks. Today, hackers steal credit card numbers; tomorrow, they will be able to control your home, steal your personal medical data, and track you as you walk down the street. Existing approaches to secure computing systems are insufficient for these new cyber-physical applications, as they have very different trust models and network architectures, bridging pervasive local area networks, personal mobile devices, server storage, and web-based applications. The Secure Internet of Things Project (SITP) is a 5-year collaboration between Stanford, UC Berkeley, and the University of Michigan to research fundamentally new, better ways to secure the Internet of Things and make them easy to use. The project seeks to answer three principal questions: Analytics: how will we integrate these enormous streams of physical world instrumentation with all of our existing data? Security: how can pervasive sensing and analytics systems preserve and protect user and system security? Hardware and software systems: what hardware and software systems will make developing new intelligent and secure Internet of Things applications as easy as a modern web application? These three efforts are tightly connected. Internet of Things (IoT) applications will need novel cryptographic protocols that are able to work on tiny, low-power devices yet also scale up to enormous stores of data in the cloud. Furthermore, IoT devices (such a smart lock) might remain in use for 10-20 years, so we must protect today’s devices against attacks from 20 years in the future. The principal investigators of the project met for a 2-day retreat in June of 2015 to lay out a research agenda for the first year of the project. Three broad topics emerged as key problems to tackle: 20-year security, application developer frameworks, and the IoT gateway. 20-year Security What does it mean to secure a computing device for 20 years in the future? 20 years ago the web was beginning to take off: HTTPS didn’t really exist yet and people often had to manually configure their IP addresses in the operating system control panels. Nowadays, we have worms, phishing, cross-site scripting, DNS attacks, and advanced persistent threats (APTs). When we deploy an IoT device, we need to realize that computer security will make similar leaps and transformations in complexity and sophistication in the next 20 years. The larger scale computing infrastructure around IoT devices can evolve quickly (we replace our mobile phones and servers are updated) but the devices themselves remain deployed and so must be ready to adapt and weather these changes in the security landscape. Our work on 20-year security has three major thrusts. The first is designing what a future embedded system-on-a- chip will need in terms of cryptographic primitives. Cryptography tends to be computationally intensive and therefore consume a lot of energy on an embedded device if run in software. Hardware support, however, can make cryptography extremely efficient and cost-effective. But the ciphers and algorithms we will use in 20 years will be very different than those today. In the most extreme future, quantum computers may be real and so IoT devices will need signature schemes that are resistant to quantum attacks. Thankfully, the cost landscape of smaller processes means that embedded SoCs have space to spare, so we can add a lot of programmable cryptographic support. The second thrust is random number generation. Random numbers are the foundation of all cryptography and computer security. While modern processors have hardware circuits to generate random bits from random !1 Secure Internet of Things Project Overview Monday, October 26, 2015 processes such as thermal noise (e.g., the x86 RDRAND and RDSEED instructions), such features are rare in the low power micro-controllers that IoT devices use. Furthermore, correctly and safely generating random bits is subtle and must be done very carefully. A first linchpin of a secure Internet of Things is fast and inexpensive ($ and board area) random number generation that anyone can easily incorporate into a device. Finally, this random number generator should be physically verifiable: someone should be able to look at it with the naked eye and check that it is correct. The major challenge that arises in such a circuit is being able to quantify the minimum entropy each bit provides. It is typical for random bits to be unevenly distributed over 0 and 1. The more uneven the distribution is, the more random bits one must collect to generate the needed randomness. Historically this problem has been solved either in hardware or in software: we are exploring designs that jointly hardware and software which we believe will be able to provide sufficient randomness for an embedded device’s entire lifetime within 1 millisecond of it booting. The third and final thrust is the design and implementation of a new, secure embedded operating system. Embedded systems today are still typically written in low-level C. We learned in the end of the 20th century that this leads to buffer overflow attacks and many other security vulnerabilities. Desktop and server operating systems have since moved to use a variety of techniques and hardware mechanisms to protect against such attacks, but embedded processors do not have these luxuries. Our hypothesis is that using a type-safe systems language can provide a provably secure OS kernel that can allow multiple untrusted applications (e.g., apps loaded onto a smart watch) to run concurrently. Application Development Frameworks A system is only as secure as its hardware and software. Most IoT applications follow a common “MGC” architecture, consisting of four parts: eMbedded devices, a Gateway device such as a mobile phone, and servers (in the cCoud or within the network). These devices span 3-6 orders of magnitude in resources and each use their own languages, operating systems, and application frameworks. Verifying and establishing security properties across this mish-mash of existing systems is intractable. We will research new operating systems, network protocols, and tools that can verify that an application across all of these devices maintains its security properties. Finally, if security is difficult to use, developers will work around it. Our goal is to make secure, powerful Internet of Things applications as easy as a modern web application. Rather than take 10 engineers two years, it should take 3 engineers two months. Making complex cyber-physical applications easy to prototype and deploy will democratize development and lead to a whole new ecosystem of tools, APIs, and software. IoT systems are unique in that they bridge hardware and software even in their earliest stages. Computer science departments across the world are educating hundreds of thousands of students, but most software engineers think hardware is daunting. We will are researching how to support “software-defined hardware”, that is, enabling software engineers to specify an entire IoT device by specifying what libraries and features their code needs. Our current approaches center on using new dark data synthesis techniques to automatically read in thousands of data sheets and populate a rich database with their important properties. Libraries can specify the constraints on components they require, and hardware generation uses these constraints to query the database for possible components. The IoT Gateway A gateway is a critical part of almost every IoT application. It provides the bridge between a low-power wireless network and the broader Internet. A gateway can be everything from a simple IP router (your WiFi access point for a Nest device) to a complex application platform that runs applications, has complex user interfaces, and orchestrates between embedded devices and the cloud (your mobile phone). We are exploring what features and abstractions a gateway should provide, both to applications as well as users. These efforts currently focus on two major problems: communication visibility and application sandboxing. Suppose in the future you have 100 or 1,000 IoT devices scattered through your home. What are they doing? Today, they are black boxes. You cannot, for example, see what data your Nest thermostat is sending, as it is encrypted end-to-end with Nest servers. Unlike laptops and phones, you cannot install new security certificates on the thermostat that let you look at its data. We posit that a fundamental requirement for IoT systems is that their !2 Secure Internet of Things Project Overview Monday, October 26, 2015 owner should be able to see how their devices are communicating and what they are saying. Technically, IoT gateways should provide information on what services and systems their IoT devices are sending data to and receiving data from. This data should remain private to the owner of the gateway, although they can share it freely with others: aggregating such data can provide valuable insights on what is normal behavior and what they might be doing. This ability to inspect traffic should go beyond just seeing how many bytes are sent; gateways, when property authorized by the owner of the device, should have the ability to snoop inside traffic. That is, gateways need the ability to relax secrecy in order to audit and monitor what devices are saying about their owners. This ability to snoop should not violate integrity; while a gateway can see the traffic a thermostat sends to a server, it cannot forge data. Achieving these twin goals of relaxing secrecy while maintaining integrity requires new cryptographic and protocol mechanisms.