Secure the Edge to protect the Core

Software Attestation and Edge Network Security

The first step in any system security design is a risk analysis to answer fundamental questions about external interfaces and operating threats. While encrypted communication and user authentication controls are straightforward enough, a system security architecture quickly becomes complex when answering the question, “How does a system ensure software is trustworthy?”

Attestation is the process of validating software authenticity during startup and periodically during operation. The purpose is to detect software tampering and code injection. There are many tradeoffs to consider in security design, including public key storage, start-up timing, impact on performance, software updates, and private key management. Solutions range anywhere from on-chip secure boot, such as the i.MX processor, to a Trusted Platform Module (TPM) co-processor, or software-based solution. Each has its own risks, cost, and design impact which is why it’s important to engage with cybersecurity design experts.

Without attestation checks, malicious software can quietly run in the background collecting system and local network data, or even perform a pivot-attack by sending malicious commands in attempt to exploit other devices. Starting with hardware, attestation checks software layer by layer using digital signature algorithms to verify authenticity. This process makes sure none of the operational security controls, like command authentication and encryption can be bypassed by the malicious code.

Securing Millions of Lines of Code in the IoT

Attestation may protect the intended security controls but makes no promises about the quality of the software itself. A zero-day attack is the exploitation of a latent defect within completely authentic software, typically resulting in the injection of malicious code to compromise data or operations. Without attestation, the modified code can be stored to memory and executed every time.

According to Steve McConnell’s book, “Code Complete”, the industry average of latent defects is about 15-50 errors per 1000 lines of delivered code (KLOC). With even the most experienced software developers, Microsoft reports 10-20 defects per KLOC during testing and .5 defects per KLOC in production.

In 2017 Visual Capitalist article, an average iPhone app has 50,000 lines of code, a military drone uses 3.5 million lines of code, Android operating system includes 12-15 million lines, and modern car contains 100 million lines of software. Most IoT devices rely on an operating system and third party libraries to reduce time to market, so even at a conservative 1 million lines of code, this means there’s anywhere from 500 latent defects (if you’re Microsoft) to upwards of 50,000. What’s the probability there’s a zero-day attack somewhere in there? Now multiply it by the number of different IoT devices currently on your network. Bottom line, even with the best security design, no IoT device is completely trustworthy.

On a more alarming scale, the supply chain attack against SolarWinds’ Orion network monitoring platform in 2020 sent shockwaves throughout the world, with suspected state-sponsored hackers gaining access to U.S. government agencies, critical infrastructure entities and private sector organizations. The injection of malicious code into Orion between March and June 2020 allowed the hackers to compromise Microsoft and FireEye, as well as U.S. Departments of Defense, State, Treasury, Homeland Security and Commerce.  The SolarWinds’ hack was severe because it took place on the build server, injecting malicious code before the digital signing process. As a result, the compromised software became authenticate and undetected by system attestation checks.

Edge Network Security

Since attestation and security design are unable to address all vulnerabilities, IoT device users need another layer of defense to protect their data and core computing resources. An edge network security solution provides the needed reinforcement to detect and contain the impact of a compromised device though the following capabilities:

1. VPN/VLAN Encryption: Segmenting devices on to their own network or private cloud protects other computing resources from traffic monitoring and pivot attacks.  The combination of a network encryptor with endpoint software is the building blocks to FEDRAMP and Commercial Solutions for Classified (CSfC) approval. 
2. Gateway: Monitors and controls the networks, subnets, addresses, and ports a device may communicate. This minimizes incoming network attacks, while controlling outgoing message destination in the event of compromise.  Robust event reporting enables administrators to detect and take action.
3. Deep Packet Inspection: Monitors and controls the type of messages communicated between approved systems to ensure only valid data is exchanged between approved endpoints.

Ultra CYBER’s edge network security solutions combine encryption, gateway, and deep packet inspection into wired, wireless, and embedded form factors to meet any operating need. Ultra CYBER supports clients with best practice products and services to protect critical infrastructure device operation and data.

Find out more about Ultra’s Edge Network Security solutions here.