Guest post: The security of every day things

Assistant professor Wil Robertson studies systems security research. Photo by Brooks Canaday.

Assis­tant pro­fessor Wil Robertson studies sys­tems secu­rity research. Photo by Brooks Canaday.

This post was written by assis­tant pro­fessor Wil Robertson.

We are in the midst of an explo­sive pro­lif­er­a­tion of com­puting devices. Once con­fined to the domain of mas­sive, expen­sive main­frames tended to by teams of spe­cial­ists, tech­no­log­ical and eco­nomic forces have pushed ever smaller and more capable devices into our work and social lives. Now, it’s com­mon­place to have a laptop, a smart­phone, a tablet, and any number of periph­eral sup­porting devices, each of which is likely to be net­worked and orders of mag­ni­tude more pow­erful than those dusty old main­frames. And, there’s no reason to believe that these devices won’t con­tinue to evolve, appearing in ordi­nary objects that we would never have expected.

One need look no fur­ther than Glass, Google’s project to inte­grate com­puting resources into eye­glasses, to see the way the world is moving. High-​​profile exam­ples aside, how­ever, there’s a wide­spread move­ment underway to embed more pow­erful CPUs and net­work inter­faces into just about every device you could imagine; think printers, secu­rity cam­eras, watches, and envi­ron­mental controls.

With all of this con­ve­nience and power comes hidden dan­gers. As secu­rity researchers in the North­eastern Sys­tems Secu­rity Lab, it’s long been clear that assuring that there isn’t any hidden mali­cious func­tion­ality lurking in the hard­ware or soft­ware run­ning on tra­di­tional desk­tops and servers is a dif­fi­cult problem. But, over the years we’ve devel­oped ways to mit­i­gate this threat through mon­i­toring, sand­boxing, and other means. The con­cern now is how to deal with new classes of embedded devices that can be easily trans­ported and installed behind oth­er­wise hard­ened secu­rity perime­ters, and is the focus of a new $1.2M DARPA-​​funded project we are conducting.

Let’s con­sider a con­crete sce­nario. Imagine that your IT depart­ment has installed a new set of wire­less routers in your building. But, unbe­knownst to them, the router firmware — i.e., the embedded code that imple­ments the router’s func­tion­ality — con­tains a hidden trigger that acti­vates after enough data has passed through the device. The trigger sends a beacon out over the cor­po­rate net­work to a group of hackers; because the con­nec­tion orig­i­nates from inside the orga­ni­za­tion, it’s allowed to tra­verse the com­pany fire­wall. The hackers use this con­nec­tion to remotely con­trol the device, essen­tially giving them a foothold inside of the orga­ni­za­tion they can use to cap­ture data passing through the device or probe other devices on the net­work for vul­ner­a­bil­i­ties they can exploit. Our chal­lenge in this project is this: Can we iden­tify the pres­ence of this mali­cious behavior before the device has been deployed to the target?

To tackle this problem, we’re using a set of tech­niques referred to as pro­gram analysis, which — simply put — pro­vides ways of dis­cov­ering facts about how a pro­gram behaves in response to input from its envi­ron­ment. Pro­gram analysis has a long his­tory, but our project is focusing on devel­oping analyses spe­cific to rooting out hidden mali­cious behav­iors. One example of this is dynamic analysis, which con­sists of run­ning a device in an instru­mented envi­ron­ment that allows us to auto­mat­i­cally observe who the device con­tacts, what data it sends, and much more. In some ways, the process is akin to putting a spec­imen under a micro­scope and probing it to see how it responds.

How­ever, dis­cov­ering hidden mali­cious behavior is no easy task. Hackers have innu­mer­able ways to try to evade detec­tion, from requiring extremely com­plex trigger con­di­tions before exe­cuting its mali­cious actions, to exploiting subtle dif­fer­ences between a real envi­ron­ment and the analysis envi­ron­ment to deter­mine whether it should hide its mali­cious behavior. Much of our research has dealt with sim­ilar prob­lems in the tra­di­tional mal­ware world, and we antic­i­pate sim­ilar chal­lenges in this context.

Despite the chal­lenges, we’re very excited to be solving emerging prob­lems, staying one step ahead of the attackers, and pro­ducing research that will result in a safer, more secure Internet for everyone.