High Level Security Mechanisms

Published Date: 02 Nov 2017

Embedded devices have nowadays an important role in a variety of systems, such as critical infrastructures or enhanced reality and e-health applications. Their resource-constrained nature and their deployment in dynamic, heterogeneous net- works which are commonly exposed to various attacks, even physical in nature, only exacerbate their security, privacy and dependability issues. The wide adoption of embedded systems for various application scenarios makes it imperative to face the abovementioned security issues, regardless of the layer these may be found in; the focus of current research on these issues is evident and justified.

The paper is organised as follows: Section II gives an overview of the trends in the research efforts, following a layered approach. In particular, Section II-A and Section II-B present the various technologies related to the hardware and virtualisation aspect of secure embedded systems, respectively. Section II-C deals with aspects related to security protocols and Section II-D presents some lightweight cryptographic mechanisms. Section II-E presents some key developments regarding high-level, holistic approaches to the security of embedded systems. Issues that future research could deal with are presented in Section III and the paper concludes in Section IV.

II. OVERVIEW OF TECHNOLOGIES

A. Hardware

There is a variety of hardware platforms being utilized in the literature, with equally varied capabilities, from highly- constrained devices like the TelosB, IRIS and MICAz motes from Crossbow Technology, to high power field-programmable

gate array (FPGA) platforms like the Spartan-6 family from

XILINX.

A significant area of security research related to Wireless Sensor Networks (WSN) aims at utilising Trusted Platform Module (TPM) hardware and adapting it to the specific needs of resource constrained applications. Such a TPM-related sub- ject is that of implementing the Direct Anonymous Attestation (DAA) scheme specified by the Trusted Computing Group (TCG). In [1] a detailed report on the implementation of the aforementioned functionality is provided, as well as sugges- tions for improvements. The presented experimental results indicate that especially the rogue detection part of the DAA protocol can be very time consuming and the overhead is very evident on resource-constrained devices (and increases linearly with the size of the black-lists of rogue TPMs). Moreover, problems with the mechanisms and protocols used to report compromised TPMs are identified. An anonymous authentication scheme based on an optimised version of DAA, aimed at resource-constrained mobile devices is presented in [2]. Functionality includes secure devices authentication, credential revocation as well as anonymity and untraceability of said devices against service providers. The proof-of-concept implementation was deployed on an ARM11-equipped devel- opment platform (exploiting the ARM TrustZone feature [3]), using an ECC and pairings scheme, while integration with the OpenSSL security framework was also demonstrated. On the subject of TPMs, research has also focused on the security extensions of mobile platforms for hosting Mobile Trusted Module (MTM) functionality. Two different reconfigurable MTM architectures are presented in [4]; the first one is based on a software implementation of the MTM running on the same physical processor as the applications using that MTM and the second is based on JavaCards providing the MTM functionality via the Java runtime environment, each with its own set of isolation mechanisms between the MTM and its users. The techniques utilise security features commonly found on mobile devices, i.e. Secure Elements and ARM TrustZone, proposing respective techniques for dynamic loading of TPM commands, aiming to alleviate the performance and memory issues arising from the security facilities of mobile platforms.

In terms of protocol technologies, the utilisation of Trusted Platform Modules and Virtualisation techniques is an emerging pattern in research efforts. A combination of the aforemen- tioned technologies is presented in [5], intending to provide a reference design for a Trusted Computing-based, light-weight, virtualisation framework specifically aimed at cloud computing scenarios, an increasingly important area of applications.

Anonymous Authentication and Anonymity schemes in general are another key area of current research, since privacy is essential in many application (e.g. social, medical). An analysis of how Trusted Computing technologies can be used for anonymous authentication and how they can be integrated into common security frameworks (e.g. Java Crypto Architec- ture) can be found in [6]. This work is based on the DAA scheme for providing anonymity over secure communications channels (i.e. anonymous TLS client authentication), but using alternative, more lightweight, schemes than those defined in the TPM v1.2 specification. Another interesting aspect of said work is the discrepancies reported between various TPM man- ufacturers (e.g. Infineon, Atmel, Winbond, Intel, ST Micro), TPM emulators and the original specification.

Regarding anonymous authentication, a Direct Anony- mous Attestation protocol utilising Near Field Communica- tion-equipped (NFC) [7] mobile devices and RFID is proposed in [8], expanding on the now relatively popular Secure Element (SE) scheme presented in [9]. Experimental results are also presented, using off-the-shelf mobile devices.

Further work on Trusted Computing Group anonymity schemes (i.e. PrivacyCA and DAA) is attempted in [10]. The goal is to overcome the need for a trusted third party which is evident in the aforementioned standard schemes, while maintaining compatibility with the TPM v1.2 specification. The proposed anonymisation scheme for trusted platforms overcomes the need for a trusted third party while, relying on the TPM’s DAA functionality so that no TPM modifications are required.

Another approach to WSN node security is based on the use of low cost, low energy consumption Complex Programmable Logic Devices (CPLDs), which are programmable logic de- vices whose complexity lies between that of Programmable Logic Arrays (PLAs) and that of Field Programmable Gate Arrays (FPGAs), sharing architectural features with both. A WSN platform which embeds a CPLD in a standard WSN node is presented in [11] and, as real-world experiments show, this CPLD-equipped platform can increase the performance of a standard WSN node by a factor of 1220 to 3000 when execut- ing certain algorithms and equally significant gains in power consumption, with a reported reduction of up to 98%. This concept is further expanded in [12], where various networking and security protocols are implemented on the aforementioned platform and real-world performance compared to existing schemes. In [13] RESENSE is presented, a complete node platform integrating this technique on popular WSN nodes (MICAz and IRIS from Crossbow Technology) running the TinyOS operating system.

B. Virtualisation

Virtualisation is a feature that research has shown it adds to the overall security of the system, in various ways. Firstly, it seems to be a remedy for facing the severe security challenges that mobile devices have, given that they are usually targeting a completely open setup [14]. In addition, efficient virtual machines have successfully been implemented in micro-kernel based systems, thus enabling the reuse of arbitrary operating systems [15]. The overhead imposed on the kernel growth was rather marginal and the overall performance was found

to be similar to other virtual machine implementations. An analysis on how and to which degree recent x86 virtualisation extensions can influence the response times of a real-time operating system that hosts virtual machines was performed in [16]. In [17] it was shown that a thin and rather simple virtualisation layer can add to the overall system’s security, as it provides fewer options for attack to a potential adversary. What is more, this approach was found to exhibit signif- icantly better performance, compared to contemporary full virtualisation environments. Finally, regarding the way virtual machines should be implemented, it is claimed in [18] that their construction should follow the principle of incremental complexity growth. Namely, additional functionality should not be included in the trusted computing base of a component if the benefits it offers are less than the drawbacks due to larger risk for introduced bugs and errors. Such an approach can be efficiently implemented and it was able to achieve high throughput and good real-time performance.

C. Protocols

??? The security and constraints stemming from the limited resources of sensor nodes have been investigated extensively. In [19] such an attempt at trying to tackle these issues is presented, giving an overview of the topic, including security and operational requirements, sensor and network constraints. Another overview, more focused on smart-home applications, can be found in [20], where key privacy and security issues, among others, are identified.

Secure routing protocols is another critical research area of networking technologies. In [24] an overview of security issues and current trends in trusted routing for ad-hoc networks is provided, evaluating their applicability in WSNs. Various trust- management enhanced routing protocols and trusted routing frameworks are investigated, focusing on their applicability on resource constrained environments. A better-suited to such en- vironments secure routing protocol is proposed in [25], namely Ambient Trust Sensor Routing (ATSR) and its performance and effectiveness is evaluated. In ATSR the geographical loca- tion of nodes along with other parameters (e.g. their remaining energy; for better load balancing and lifetime extension) are considered. Moreover, said protocol features a distributed trust model, based both on direct and indirect trust data, to detect malicious nodes.

The interactions between secure routing protocols and the Service Discovery functionality on WSN networks where the nodes are used as service providers are investigated in [26]. Simulation results presented in the aforementioned work in- dicate that in some situations there is an efficiency gain if routing protocols allow the higher layers to override the routing decisions.

Intrusion Detections Systems (IDS) are a key tool in safe- guarding distributed ES networks. A dynamic and distributed IDS scheme is presented in [27] and further expanded in [28], where nodes act as local monitors of their neighbours and, in combination with data received from other monitors, are able to detect malicious entities. Simulations are used to prove the effectiveness of the proposed methods, with applications focusing mostly on smart-vehicles. Defensive techniques for sensor networks based on the nodes’ locations are surveyed

in [29]; assuming every node is capable of detecting its own location. Furthermore, concepts of robust statistics (i.e. robust regression) are proposed, aiming to localise a node in the presence of malicious beacons. To facilitate the analysis and understanding of IDS data, various advanced methods have been investigated, including neural network-based techniques for the virtualisation of said data, as presented in [30].

D. Cryptographic Primitives

An overview of the literature pertaining to time and energy overhead various cryptographic primitives impose on popular types of wireless sensor nodes is presented in [21]. A number of symmetric and public-key algorithms, hash functions and cryptographic primitives in general are mentioned as well as their lightweight counterparts, where available. It is worth pointing out that the node lifetime data presented refer to the overhead imposed by the security-related functionality alone and, in a real-life scenario, values would be significantly lower due to additional functions running on the same node.

Whenever strong encryption is required on rather resource- constrained devices, elliptic-curve cryptography (ECC) is al- ways a strong candidate. In [22] the finite fields Fp , F2d and Fpd are being investigated for suitability for performing ECC on the ATmega128 microcontroller and it turns out that binary fields are most preferable when efficient implementations are required.

An interesting security scheme for WSN that provides transparent security is proposed in [23]. This scheme is ef- fectively a lightweight CBC-X mode cipher that is able to provide encryption/decryption and authentication all in one. Consequently, it exhibits significant energy gains of about 50-

60%, compared to TinySec.

E. High-Level Security Mechanisms

Moving to research pertaining to higher layers, the aspect of reconfigurability and its repercussions on security are con- sidered in [31]. A security architecture is proposed which, based on a middleware layer, offers secure reconfiguration and communication (i.e. SecComm component framework) with fine-grained application-specific policy enforcement, au- thenticated downloading from a remote source (i.e. ALoader component framework) as well as a rekeying service for key distribution and revocation (i.e. Rekeying component frame- work).

Trusted Software is another important area of research and [32] proposes a Trusted Software Stack (TSS – which acts as an interface between applications and a TPM) to be integrated into existing security framework, facilitating the adaptation to Trusted Computing technology. The prototype developed and proposed uses the .NET programming environ- ment, taking advantage of the environment’s fault-detection functionality (e.g. regarding buffer overflows), portability and developer base.

Furthermore, a capability-based, object-oriented software architecture is presented in [33]. Featuring a micro-kernel interface and enforceable security policies along with visu- alisation provisions, it aims to improve security and provide isolation between multiple un-trusted software components.

In [34] the server side of Trusted Computing function- ality is examined, presenting a design based on the Nizza Architecture [35] but minimising the trusted computing base and aiming to provide anonymous and trustworthy service for users, even counteracting certain insider attacks which, with the proposed scheme cannot go undetected.

In [36] a software platform called MWSAN is proposed, that provides high-level services for sensor and actor networks. It follows the component-oriented paradigm and it leaves it up to the developers to configure it according to the actor and sensor resources, by taking into consideration issues such as the network configuration, the quality of service and coordination among actors.

The main features of a secure software solution for embed- ded peer-to-peer systems, in order to face the various security challenges of the Internet of Things (IoT) are presented in [37]. The presented service model and component-based middleware satisfies necessary principles such as security, heterogeneity, interoperability and scalability.

An extensive overview of a particular category of secure low level software layer, namely the context-aware middle- ware, is presented in [38], whereas [39] covers service com- position mechanisms in ubiquitous computing. An ontology- based approach has been followed using the Web Ontology Language (OWL) and Semantic Web Rule Language (SWRL) in order to develop monitoring and diagnosis rules [40]. In this way, any malfunctions can be detected and self-healing procedures can be invoked, in an effective, extensible and scalable way. A similar ontology-based approach was also presented in [41]. Enriching the relations between the different systems’ parts with semantic information, as well as exploiting contextual process data, can yield useful information which can be fed into the various control and decision-making algorithms [42], [43].

The utilisation of the aforementioned concepts to enhance user profiling and trust sharing and to offer content and context-awareness for cloud-based services is also discussed in [44].

III. FUTURE ENHANCEMENTS

The increased complexity and interconnection of the cur- rent systems’ components, as well as the varying and often undefined security levels of the networks they consist of, demands for different approaches in the way the requirements are stated, in addition to the way these systems are designed. An integrated approach is required, where the components’ security level is properly and systematically assessed, thus enabling the correct evaluation of the architecture’s overall security level. In order for this to occur, reliable and useful metrics need to be defined, also applicable to legacy and therefore potentially insecure systems.

The exploitation of advancements in the energy field could be examined and, if possible, exploited, either as the main power source or failsafe alternatives. Such advancements in- clude super-capacitors, micro-generators, micro-solar cells as well as wireless charging schemes. In the case of FPGA- equipped devices, the concepts of self-reconfiguration (e.g. in order to adapt to changes in the network, service or location)

and self-recovery (e.g. in fault condition) could be investigated further. This can be achieved via on-the-fly hardware and/or software changes.

Furthermore, lightweight alternatives to existing crypto- graphic primitives (e.g. hash functions) and key distribution mechanisms could be looked into. The development of a com- prehensive cryptographic library focused on embedded systems and featuring lightweight primitives would be a very important development, including utilisation of TPM functionality and features, where available. Moreover, authentication protocols based on the aforementioned lightweight cryptographic primi- tives could be developed, utilising software/hardware co-design techniques (i.e. with simultaneous development of hardware implementations) to maximise efficiency. What is more, in cases where dependability is important, the concept of using virtual computing to offer a form of redundancy, on a vir- tual/software level, could be explored.

Wearable systems introduce more challenges, like devel- oping the means to securely and seamlessly collect, store and transmit various data, some of which might be private sensitive in nature (thus having to consider regulatory compliance issues that arise when dealing with such data). Access to location- based services is a given requirement in such applications, which again raises privacy concerns and thus mandates the development of efficient anonymising schemes. Their func- tionality must allow the user to access said services, while prohibiting the service provider from uniquely identifying the specific user’s identity and location among the rest of the users.

Future research could perhaps focus on revising the tradi- tional role of middleware (namely, facilitating interaction and compositions via discovery and orchestration), by upgrading it and expanding it to that of a recommendation engine, able to dynamically and adaptively detect patterns and predict potential service interactions, thus better reflecting the new crowdsourcing, social and generally human-related applica- tions.

IV. CONCLUSIONS

A survey was performed on research efforts related to embedded systems security, a very active field that has ab- sorbed significant resources. Some of the evident trends are the optimal employment of Trusted Platform Modules (TPM) and their Direct Anonymous Attestation (DAA) functionality in resource constrained devices, the exploitation of other embed- ded security features (e.g. ARM TrustZone and virtualisation techniques) and other advanced mechanisms like reputation- based Intrusion Detection Systems and context-aware middle- ware. Since embedded systems mostly consist of resource- constrained devices, the use of lightweight cryptographic primitives is of vital importance and is therefore attracting significant focus. Moreover, privacy-aware techniques (anony- mous authentication schemes, for instance) are employed to protect privacy in ubiquitous environments. Various open se- curity issues have been identified in all the abovementioned areas, which future research will have to further analyse and hopefully resolve, in order to facilitate the wider adoption of embedded systems, a pre-requisite for the realisation of the Internet of Things.

ACKNOWLEDGMENT

This work was funded by the European Community’s Seventh Framework Programme Artemis nSHIELD (new em- bedded Systems arcHItecturE for multi-Layer Dependable solutions) project. Call: ARTEMIS-2010-1, Grand Agreement No.: 269317.