SlideShare a Scribd company logo

Scaling Systems Securely: Challenges and Risks

Download as PPTX, PDF
OnBoard Security, Inc. - a Qualcomm Company
OnBoard Security, Inc. - a Qualcomm Company

Scaling secure systems like vehicle-to-vehicle communication presents challenges around growing the number of devices, maintaining them securely over long periods of time, and managing privacy across international borders. The biggest constraint is ensuring the many human decisions needed are made correctly and at scale. Centralizing some decisions, like device certification requirements and revocation criteria, while decentralizing others, like authorization, can help reduce the number of human judgments needed. Proper data management is also crucial to balance security, privacy, and accountability. Attention to future threats from quantum computers and evolving standards will further support scalability over time.

1 of 26
Scaling systems securely: challenges and risks William Whyte, Chief Scientist 2016-03-16
About Security Innovation • Authority in Software Security – 15+ years research on vulnerabilities – Security Testing methodology adopted by Adobe, Microsoft, Symantec, McAfee, and others – Security partner for Dell, Microsoft, Cisco, HP, IBM, PCI SSC, FS-ISAC, NXP, and others – Authors of 16 books, 4 co-authored with Microsoft – 9 Patents
About me • Standards – Chair of IEEE P1363, vice-chair of IEEE P1609 • Large-scale design – Member of design team for Secure Credential Management System for V2V deployment • Deployment – Working with New York City Pilot Deployment to develop Security Management Operating Concept • Cryptography – Member of research team developing NTRU and related cryptographic technologies • Major professional focus: How can we get a 300 million device system to work securely?
Outline • Growing systems securely
Outline • Growing systems securely • Securely – Setting them up – Maintaining them – Data management and privacy
Outline • Growing systems securely • Securely – Setting them up – Maintaining them – Data management and privacy • Growing – Across number of devices – Around the world – Through time
Our main setting: Vehicle-to-Anything (V2X) Illustrations from https://www.itsconnect-pc.org/en/about_its_connect/service.html
Our main setting: Vehicle-to-Anything (V2X) • Peer-to-peer applications – Multiple different suppliers • “Centralized” security management – Not always contactable – May be different across applications – May be different across countries • Long-lived devices – Cost sensitive – Limited central connectivity – Limited P2P bandwidth • Huge scale – 300 million cars on the road in the US, mandate coming
The biggest constraint on scalability • People
The biggest constraint on scalability • People who have to get it right
People taking responsibility is the bottleneck • Individual decisions made centrally by humans don’t scale – Lumpy – Hard to plan for – Slow • Edge decisions made by humans can scale so long as there aren’t too many of them • Scalable decisions made centrally by humans do scale – Write this code, push this update, … • Systems scale successfully when decisions made by humans can be scaled • Scaling is a risk when those decisions are wrong • How can we leverage central decisions to make sure my car gets good data from your car?
Peer-to-peer • How can my car be sure that your car’s data is good? • Bad faith / poor execution • Need 300m devices that are: – Authenticated – Certified – Well-implemented – And have 1000+ certificates per year • … without needing 300 billion human decisions
V2V Security Credential Management System • Standard PKI plus… • Large-scale revocation • Privacy protection • Lots of devices • How do we manage central decisions made by people? – Enrolment v authorization certs – Device certification – Revocation and misbehavior investigation
Enrolment v authorization • Enrolment certificate at the start of device’s lifetime – Used only for SCMS communications • Authorization certificate refreshes during device’s lifetime – Used for peer communications • Down to 17m decisions per year! • Now the problem is to make sure the Enrolment CA makes the right decisions
Device certification • Device is correctly implemented
Device certification • Device is correctly implemented – We have the requirements right
Device certification • Device is correctly implemented – We have the requirements right – It is properly tested
Device certification • Device is correctly implemented – We have the requirements right – It is properly tested – It will stay secure
Device certification • Device is correctly implemented – We have the requirements right – It is properly tested – It will stay secure • If we can guarantee this then we only need type certification – But…
Device certification issues • Testing against requirements is expensive – $100,000 for Common Criteria conformance – Bug fixes could require recertification • Requirements change – Attacks evolve • Different labs have different standards – … because different countries have different standards • US/EU/Australia Harmonization Task Group 6 on Intelligent Transportation Systems Security – US status of type certification for V2V devices is still open • Ability to scale is a problem of governance, not a problem of technology
Disaster recovery in large systems • Removing bad actors – Privacy v security • Repairing faults
Removing bad actors • Cars can report suspicious messages – “Ghost vehicles” • Advantage: misbehavior can be detected • Disadvantage: innocent users can be tracked • How to enable misbehavior detection without widespread tracking? – Careful data management processes • Is this a universal problem?
Removing bad actors: and finally… • Can a removal decision be legally challenged? • If so, this becomes one of those human decisions we were trying to minimize
Outline • Growing systems securely • Securely – Setting them up – Maintaining them – Data management and privacy • Growing – Across number of devices – Around the world – Through time
Future threats & mitigations • Quantum computers – Can break all current popular public-key cryptography • Threat to application messages – Research going on through, e.g., http://pqcrypto.eu.org/ • Threat to secure update – Secure post-quantum signatures exist but… – Currently no hardware support
Conclusions • Minimizing human decisions – Device certification • International agreement on requirements • International agreement on conformance testing culture – Clear decision criteria for revocation • Proper data management – Preserve privacy for • General users of the system • Innocent users accidentally included in misbehavior reports • Users suspected of violations? • Secure update – Crypto algorithm agility – As little reliance as possible on hardware for application messages – Hardware support for post-quantum secure update When building a secure, large-scale, peer-to-peer, privacy preserving, international, long-lived, poorly connected system, pay attention to…

More Related Content

Scaling Systems Securely: Challenges and Risks

  • 1. Scaling systems securely: challenges and risks William Whyte, Chief Scientist 2016-03-16
  • 2. About Security Innovation • Authority in Software Security – 15+ years research on vulnerabilities – Security Testing methodology adopted by Adobe, Microsoft, Symantec, McAfee, and others – Security partner for Dell, Microsoft, Cisco, HP, IBM, PCI SSC, FS-ISAC, NXP, and others – Authors of 16 books, 4 co-authored with Microsoft – 9 Patents
  • 3. About me • Standards – Chair of IEEE P1363, vice-chair of IEEE P1609 • Large-scale design – Member of design team for Secure Credential Management System for V2V deployment • Deployment – Working with New York City Pilot Deployment to develop Security Management Operating Concept • Cryptography – Member of research team developing NTRU and related cryptographic technologies • Major professional focus: How can we get a 300 million device system to work securely?
  • 5. Outline • Growing systems securely • Securely – Setting them up – Maintaining them – Data management and privacy
  • 6. Outline • Growing systems securely • Securely – Setting them up – Maintaining them – Data management and privacy • Growing – Across number of devices – Around the world – Through time
  • 7. Our main setting: Vehicle-to-Anything (V2X) Illustrations from https://www.itsconnect-pc.org/en/about_its_connect/service.html
  • 8. Our main setting: Vehicle-to-Anything (V2X) • Peer-to-peer applications – Multiple different suppliers • “Centralized” security management – Not always contactable – May be different across applications – May be different across countries • Long-lived devices – Cost sensitive – Limited central connectivity – Limited P2P bandwidth • Huge scale – 300 million cars on the road in the US, mandate coming
  • 9. The biggest constraint on scalability • People
  • 10. The biggest constraint on scalability • People who have to get it right
  • 11. People taking responsibility is the bottleneck • Individual decisions made centrally by humans don’t scale – Lumpy – Hard to plan for – Slow • Edge decisions made by humans can scale so long as there aren’t too many of them • Scalable decisions made centrally by humans do scale – Write this code, push this update, … • Systems scale successfully when decisions made by humans can be scaled • Scaling is a risk when those decisions are wrong • How can we leverage central decisions to make sure my car gets good data from your car?
  • 12. Peer-to-peer • How can my car be sure that your car’s data is good? • Bad faith / poor execution • Need 300m devices that are: – Authenticated – Certified – Well-implemented – And have 1000+ certificates per year • … without needing 300 billion human decisions
  • 13. V2V Security Credential Management System • Standard PKI plus… • Large-scale revocation • Privacy protection • Lots of devices • How do we manage central decisions made by people? – Enrolment v authorization certs – Device certification – Revocation and misbehavior investigation
  • 14. Enrolment v authorization • Enrolment certificate at the start of device’s lifetime – Used only for SCMS communications • Authorization certificate refreshes during device’s lifetime – Used for peer communications • Down to 17m decisions per year! • Now the problem is to make sure the Enrolment CA makes the right decisions
  • 15. Device certification • Device is correctly implemented
  • 16. Device certification • Device is correctly implemented – We have the requirements right
  • 17. Device certification • Device is correctly implemented – We have the requirements right – It is properly tested
  • 18. Device certification • Device is correctly implemented – We have the requirements right – It is properly tested – It will stay secure
  • 19. Device certification • Device is correctly implemented – We have the requirements right – It is properly tested – It will stay secure • If we can guarantee this then we only need type certification – But…
  • 20. Device certification issues • Testing against requirements is expensive – $100,000 for Common Criteria conformance – Bug fixes could require recertification • Requirements change – Attacks evolve • Different labs have different standards – … because different countries have different standards • US/EU/Australia Harmonization Task Group 6 on Intelligent Transportation Systems Security – US status of type certification for V2V devices is still open • Ability to scale is a problem of governance, not a problem of technology
  • 21. Disaster recovery in large systems • Removing bad actors – Privacy v security • Repairing faults
  • 22. Removing bad actors • Cars can report suspicious messages – “Ghost vehicles” • Advantage: misbehavior can be detected • Disadvantage: innocent users can be tracked • How to enable misbehavior detection without widespread tracking? – Careful data management processes • Is this a universal problem?
  • 23. Removing bad actors: and finally… • Can a removal decision be legally challenged? • If so, this becomes one of those human decisions we were trying to minimize
  • 24. Outline • Growing systems securely • Securely – Setting them up – Maintaining them – Data management and privacy • Growing – Across number of devices – Around the world – Through time
  • 25. Future threats & mitigations • Quantum computers – Can break all current popular public-key cryptography • Threat to application messages – Research going on through, e.g., http://pqcrypto.eu.org/ • Threat to secure update – Secure post-quantum signatures exist but… – Currently no hardware support
  • 26. Conclusions • Minimizing human decisions – Device certification • International agreement on requirements • International agreement on conformance testing culture – Clear decision criteria for revocation • Proper data management – Preserve privacy for • General users of the system • Innocent users accidentally included in misbehavior reports • Users suspected of violations? • Secure update – Crypto algorithm agility – As little reliance as possible on hardware for application messages – Hardware support for post-quantum secure update When building a secure, large-scale, peer-to-peer, privacy preserving, international, long-lived, poorly connected system, pay attention to…