More Related Content
Similar to Wsanacip tampres cluster meeting
Similar to Wsanacip tampres cluster meeting (20)
Wsanacip tampres cluster meeting
- 1. Assessment Models to Improve the Usability of
Security in Wireless Sensor Networks
Steffen Peter
IHP
Im Technologiepark 25
15236 Frankfurt (Oder)
Germany
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011 - All rights reserved
- 2. Outline
• Introduction WSAN4CIP, TAMPRES
• Motivation
• Model-based security assessment approach
• Example for practical security model
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 3. WSAN4CIP
• Protection of critical infrastructures
• Potential threats
– Natural disasters (floods, earthquake)
– Terrorism, Vandalism, Crime (stealing Iron)
• Providing monitoring capabilities for large scale
infrastructure requires:
– Low cost devices
– No additional infrastructure
– Robust, self-configuring systems
– integration in SCADA infrastructures
• WSNs protecting CIP become part of the CIP
– need to be protected
–Development and integration of mechanisms to protect the WSN
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 4. WSAN4CIP demonstration sides (1)
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 5. WSAN4CIP demonstration sides (2)
Briesen (Mark)
Rosengarten
Jacobsdorf
• Drinking water distribution network
– Monitoring of a 20km pipeline in Germany
– Reporting of operating state, alarm conditions and access control.
–Integration in existing infrastructures
• Nodes are exposed to physical attacks
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 6. TAMPRES
• Development of novel protection means to ensure
tamper resistance and improve trustworthiness for
severely contrained devices
• Enhancing the security of the Future Internet by
improving the resistance of its weakest link, i.e.
wireless sensor nodes against physical attacks
• Highly technical project with the goal to implement
a tamper resistant sensor node with cryptographic
accelerators and side-channel resistance
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 7. General Problem
• Gap between application level (users) and
technological level (developers)
• Complex trade-offs on technological level often not
understood on application level
• Particularly true for Wireless Sensor Networks
–Energy, Memory , Security, Cost – Trade-offs
–No one-fits-all solution
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 8. Overview: Model-based System Security Assessment
Understood by
Application Requirements users
C1: Collecting of (soft) user security requirements
and transforming them to the (hard) model that allows assessment
Security- and C3: Does the system satisfies the requirements?
Assessment Models Need for adequate models
Inferring properties of the composed system
Based on meta-information of the basis components
System
= composition of basis component
(Automatic) selection of basis components
Technological basis components services, and
C2: Describing individual (security-) properties protocols with
of the components as meta-information complex trade-offs
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 9. C1: Collection and Mapping of User Requirements
• Full specification of the application mission
–Relevant phenomena
–Selection of sensors
–Expected lifetime and reliability
• Hide technical details
–Users typically cannot
express their security
needs
• Language easy to use
for users
– central catalogue
– specific catalogues for
specific domains
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 10. Two-Step Requirement Definition Process
Transformation of requirements
- Application type
(health care, home, industrial)
Attacker model and capabilities
- Required security attributes
(concealment, integrity, robustness)
- Parameters
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 11. C2: Describing attributes components and system
• Definition of a (Meta-) component model
– Hardware and software components
– Protocols, services
• Security properties as part of the meta information
of the components
–Provided by the developers (they know what their
components are doing)
–Have to be observed by independent experts
• Has to support composable security
–sec (comp. A + comp. B) = f(sec(comp A), sec(comp B))
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 12. Component Meta-Model
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 13. C3: Definition of Security Models
• Should be able to decide whether a system is
secure for the given requirements
• Inputs are:
–Technical requirements
–Properties of the system
• Output:
–List of conflicts
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 14. Currently implemented Model Approach
• Define requirements, environmental information,
security properties, attacker properties as properties
in one large graph
–Connected via relations (formulas) defining how properties
depend on and define each other
• Security is expressed as views on specific aspects
–System is secure is the attribute is free of conflicts on context of
requirements,
• Starting point is a holistic security model
–Successive refinement to assess the aspects
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 15. Holistic Security Model (Ontology)
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 16. Focused Views on the Ontology
System properties can be derived Attacker model and capabilities
from the properties of the can be derived from the user requirements,
used components and the application context
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 17. Example for an Attack-centric Security Model
• Based on Attack Trees
– A system is secure if all attacks:
1. can be prevented (property of the system), or
2. Do not apply (property of the system requirements)
System
Security
propagation
…Attacks… …Attacks…
Require-
ments/ System
Attacker Properties
modell
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 18. General Architecture
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 19. Envisioned WSN Design Process
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 20. Example for a Component Selection Tool: configKit
-Selection of hardware
-Selection of required functions
-Definition of security properties
-Each change of inputs
immediately updates the result
Fast and easy refinement process
-Proposed software configuration
-Including prediction of footprint
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 21. Example for a Component Selection Tool
-Selection of hardware
-Selection of required functions
-Definition of security properties
-Each change of inputs
immediately updates the result
Fast and easy refinement process
-Proposed software configuration
-Including prediction of footprint
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 22. Conclusions
• Assessment models can help to validate the fulfillment
of user requirements for a given system
Proposed approach shows the general feasibility
• Challenges remain:
-How to elicit the requirements from the user and to
transform them to objective properties
-Find models for a-priori reasoning of security-related
behavior and conflicts
-How to describe properties of components so that
they support composition of security
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2011- All rights reserved
- 23. Thank You
Questions?
Web: www.wsan4cip.eu
www.tampres.eu
peter@ihp-microelectronics.com
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2008 - All rights reserved