Lecture 12
Security, Safety and Trust in Ubiquitous Computing
Security concept and special issues in Ubicomp
Safety concept and special issues in Ubicomp
What is “trust” and its features in Ubicomp
Security
Security is the degree of protection against danger, damage, loss, and criminal activity.
Security has to be compared to related concepts: safety, continuity, reliability.
The key difference between security and reliability is that security must take into account the actions of people attempting to cause destruction.
IT Security Categories
Data Security
Information Security
Network Security
Computer Security
Application Security
…
General Security Requirements
Secure systems are often defined to fulfill three basic requirements, also called the "CIA triad":
Confidentiality means that private data should only be accessible to authorised users. It is sometimes also called secrecy.
Integrity means that it should be impossible to undetectably modify protected data.
Availability means that authorised users should always (or at least at clearly defined time periods) be able to access data or services. The implication is that unauthorised users should be unable to deny access for authorised users.
Types of Security Attacks
*Mobile code: viruses, worms, Trojan horses,…
A B
interception
A B
interruption
B
interruption
(denial of service)
A B
modification,
eg, replay
A B
fabrication,
eg, masquerade
Many Computational Objects in Ubicomp
Thank God! Ubiquitous Computing
is around me …
Security Issues in Ubicomp
Wireless media supporting from personal-area to wide-area networks
Ad-hoc device association at different layers
Location and context considerations in policy management
Heterogeneity of content encoding
Variability in processing and storage capabilities of devices
Heterogeneity of security & privacy policies
…
1500 USD
in walletSerial numbers:
597387,389473
…
Wigmodel #4456
(cheap polyester)
30 items
of lingerie
Books and Their
Names
xxx, yyy, zzz
Replacement hipmedical part #459382
RFID-related Privacy Problem
RFID-related Security
Information leakage– An unauthorized person or reader is able to obtain any
information about the tagged item by reading the tag. E.g. Personal data are stored in the card
Malicious traceability– An unauthorized person or reader is able to track the same tag.
E.g. tracking of employees by the boss,
tracking of children in an park, tracking of military troops, etc.
Denial of service– Preventing the Reader/Tag from fulfilling its normal service.
E.g. Electronic noise, etc.
Relay attacks
RFID Relay Attacks
Device Security in IoT
Devices are not reachable
Most of the time a device is not connected
Devices can be lost and stolen
Makes security difficult when the device is not connected
Devices are not crypto-engines
Strong security difficult without enough processing power
Devices have finite life
Credentials need to be tied to lifetime
Devices are transportable
Will cross borders
Devices need to be recognised by many readers
What data is released to what reader?
Security Issues in IoT
Assurance
Risk analysis
Device analysis
Crypto capability and export analysis
RFID tags will not do crypto for some years
Security objective
Privacy protection
Identity protection
Traffic analysis protection
Identity and identifier management
Separation of identity and identifier
Security–related Aspects in Ubicomp
RFID
Sensor
Actuator
Cell Phone
Service
Application
User
Space
Systems
- WSN, CPS, IoT, …
Devices
Services
Users
Space
System
WSN Security Requirements & Attacks
Spoofed, altered and replayed routing information
Selective Forwarding
Sinkhole attacks
The Sybil attack
Wormholes
Data Confidentiality – omission of data leaks to neighboring networks.
Data Authentication – verification of sender/receiver.
Data Integrity – non altered transmission of data.
Data Freshness – ensuring data is recent while allowing for delay estimation.
WSN Routing and Data Collection
Wormhole Attack
Most packets will be routed to the wormhole
The wormhole can drop packets or more subtly, selectively forward packets to avoid detection
Smart u-Things – Real World Challenges
Smart u-Things are emerging- Many scenarios: Weiser’s Sal, AmI’s Maria/Dimitrios/Carmen, Aura’s Jane/Fred, …- Lots of research and many various prototypes Research Booming comes- But rare practical ones Application Booming is to come real world complexity
Ideal Smart u-Things expected and related challenges Able to act adaptively and automatically according to
1. Surrounding Situations Challenge 1: Situation Approximation
2. Users’ Needs Challenge 2: Knowing Users’ Needs
3. Things’ Relations Challenge 3: Complex Things’ Relations
4. Common Knowledge Challenge 4: Knowledge Management/Growth
5. Own Goal, Role, etc. Challenge 5: Self Awareness
6. Error and Exception Challenge 6: Looped Self Adjustment
7. Safety & Satisfaction Challenge 7: UbiSafe
Above challenges from real world intrinsic characteristics- RW == physical + social + natural + … uncertain, unpredictable, changing, …- RW computing: complicated/abstruse phil., social, ethical & other implications- Understanding real world (RW) diversity and complexity Extremely Hard !!- Novel cyber dimensions newly added in physical-digital combined u-things
Safety-related Computing
Safety-related Computing- Not new, studied for decades
- Reliability, security, fault tolerance, survivable, dependable,
safety-critical system, risk management, human factor, etc.
Trust/Trusted/Trustworthy Computing (TC) - Fashion- A general paradigm to cover security, privacy, identity-awareness,
reliability, risk, reputation, maintenance, after-service, and so on
- Trust is only one factor in cooperation and decision-making
- Cooperation is only one relation between computing entities
- US DoD: A trusted component can break the security policy
- TC pushed hard by industry (e.g. Microsoft, TCG)
Reliability Security Dependability Trust Ubisafe ?
A=>D: where is Bob?A=>C: where is Bob?A=>B: where is Bob?
Trust and Trust Features
Trust and Trust Features
C=>A: Bob is at work.
D=>A: Bob is home.
B=>A: Bob is home.
A<=
B: Bob at home,
C: Bob at work,
D: Bob at homeA: I have enough
trust in D. What
about B and C?
Trust and Trust Features
Trust and Trust Features
A: Do you trust C?
C: I always do.
D: I don’t.
B: I am not sure.
E: I don’t.
F: I do.
A:
I don’t care what C says.
I don’t know enough about B,
but I trust D, E, and F. Together,
they don’t trust C, so won’t I.
Trust and Trust Features
A: Do you trust B?
C: I never do.
D: I am not sure.
B: I do.
E: I do.
F: I am not sure.
A:
I don’t care what B says.
I don’t trust C,
but I trust D, E, and F. Together,
they trust B a little, so will I.
A: I trust B and D,
both say Bob is
home…
A:
Increase trust in D.A:
Decrease trust in C.
A:
Increase trust in B.
A:
Bob is home!
Trust and Trust Features
Trust Evaluation, Decision & Guarantee
Cyber EnvironmentsComputers, Components
Software, Service, …
User-Comp
Interactions
Digital Input
Digital Output
Trust measure, model, monitor, management,
analysis, update, evolution, establish,negotiation, TQoS, …
Consequence of misbehavior or
unexpected outputfrom trustor/trustee?
T-Te
T-Te-Tp
Te
Trust Error
- over-trust
- under-trust
Safety Protection- Tech. + Social
Trust Guarantee- Sec. + Rel. + …
Interaction
LossUnsafeDanger
Tokyo Stock Loss: $350M in 10 minutes
Dec. 12, 2006 - President of Tokyo Stock Exchange Resigns
A computer glitch shut down trading on the exchange, the world's second-largest after the New York Stock Exchange, for almost an entire day.
A typographical error by Mizuho Securities brokerage generated a $350 million loss.
An employee mistakenly typed an order to sell 610,000 shares at 1 yen, instead of an order to sell one share at 610,000 yen ($5,057).
Mizuho's computer failed to catch the error, but that wasn't all. As Mizuho tried frantically to cancel the order, the computer blocked its efforts for about 10 min.
Prime Minister Koizumi commented on the problem, that “we need to think more about putting safety measures in place to prevent confusion”
Looped Ubiquitous System
センサー
アクション
人人体物体器具空間環境
ユビキタス
情報自動な取得、保存、処理、管理、分析、判断、使用、など
Various Information
Desired Services
Context
Context-Aware
IntelligentProcessing
UbiquitousDevices
PhysicalWorlds
Closed Loop
Ubicomp: Physical-Cyber Loop & Consequence
Cyber EnvironmentsComputers, Components
Software, Service, …
UserObject
Physical Input
Physical Output
Trust Safety
measure, model, monitor, management, analysis, evolution, …
Consequence of misbehavior or
unexpected outputfrom trustor/trustee?
Sensors
Actuators
Automatic PhyCybPhy
Loop
User Protection- Tech. + Social
Safety Guarantee- Sec. + Rel. + …
LossUnsafeDanger
B-2 Spirit Crash
On 23 February 2008, a B-2 crashed back onto a runway shortly after takeoff from Andersen Air Force Base in Guam. The aircraft was completely destroyed, a total loss estimated at US$1.4 billion.
The findings of the subsequent investigation stated that the B-2 crashed after "heavy, lashing rains" caused water to enter skin-flush air-data sensors, which feed angle of attack and yaw data to the computerized flight-control system. The water distorted preflight readings in three of the plane's 24 sensors, causing flight-control system to send an erroneous correction to the B-2 on takeoff.Because of the faulty readings, the flight computers determined inaccurate airspeed readings and incorrectly indicated a downward angle for the aircraft, which contributed to an early rotation and an un-commanded 30-degree pitch up and left yaw, resulting in the stall.
A Boy Killed by an Auto-door
2004/3/27、Asahi Newspaper
2004/4/20、
日本経済新聞2004.3.26 : a boy died due to a rotation door
SensingRanges
From Prof. Z. Cheng
Elevator Accidents
朝日新聞2006年6月8日
朝日新聞・産経新聞2006/6/17
2006.06.03, a high school student dead when he took a bicycle into a
elevator, which started to move without completely closing the door.
If pushing the open button just after the door
has been closed, the elevator may start to go
up with the door openedFrom Prof. Z. Cheng
Novel Features and Unsafe Factors
Unobtrusive AEB in real objects and environments Physical characteristic oriented unsafe factors
- Limited computation, open/changing/worse working conditions
- Used consciously or unconsciously
Diverse users with different backgrounds/demandsAll people from baby to elder, normal to disabled, ……
Human characteristic oriented unsafe factors
- No comp knowledge, no expected usage, no awareness of
dangers, no ability of handling, ……
- Safe/unsafe is not absolute, relative, up to individual/situation
Life-like systems, smart u-things from small to large scales Passive Interactive Active Life-like
life-like system characteristic oriented unsafe factors
- Imprecise sensing data, insufficient context, complex relation, ……
Ubiquitous Comp/Dev./Net Ubiquitous Risks/Dangers
Ubisafe Computing Vision
Ultimately General A u-environment in which any u-person can get satisfactory services safely anytime and anywhere in any situations, and do not have to worry or even think about the safety problem.
Extremely Ideal A u-environment in which all u-objects including u-persons are both non-negative and reliable (thus completely trustable, no risk/attack at all), and thus all u-persons are absolutely safe.
Relatively Ideal A u-environment in which some anti-risk/attack u-systems are so powerful that any u-person can be isolated from outside risks/attacks; all risks/attacks from a u-person-self can be predicted and prevented.
Practically Perfect A u-environment in which some u-systems can predicate and detect all possible risks/attacks, and take proper actions to prevent or protect u-persons from the risks/attacks.
Ubisafe Computing Challenges
To study all possible unsafe sources of various u-objects from the physical, human and life characteristics.
To model and detect all possible risks, attacks, dangers and so on known and unknown
To form safety u-systems: centralized/distributed, part/whole safe, local/global, autonomic/controllable
Meaning, measure and semantics of “safe” and “ubisafe”: absolute, relative, degree/level, subjective, objective,
Situated or context-related ubisafe interwoven with the diversity/complexity of the real world and various people
Non-technical issues: low, regulation, ethics, …
How to combine technical and non-technical forces
Vulnerabilities of Cyber-Physical Systems
• Controllers are computers
• Networked
• Commodity IT solutions
• New functionalities (smart
infrastructures)
• Many devices (sensor webs)
• Highly skilled IT global
workforce
(creating attacks is easier)
• Cybercrime
Example of Attacking a Grid CPS
Trusted Computing (TC) Trustworthy Computing (TwC)
Trusted Computing- With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by hardware and software.
Trustworthy Computing- Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure, available and reliable.
Security has always been a part of computing, but now it must become a priority.
Privacy is critical that information is protected and kept private when computing to become ubiquitous in connecting people and transmitting information over various networks and services
Reliability encompasses all technical aspects related to availability, performance and disruption recovery.
Trusted/Trustworthy System
The system does what is required
Despite disruption, errors, and attacks
The system does not do other things
Encompasses
Correctness
Reliability
QoS
Security
Privacy
Safety
Survivability
Reputation
…
Read the documents below and access the related websites to learn more about security, trust and safety in ubiquitous computing, pervasive computing, AmI, CPS, IoT, RFID, WSN, etc.
Security Issues in Ubiquitous Computing by Frank Stajano
Ubisafe Computing: Vision and Challenges (I) by Ma, et al
Security – Wikipedia, Computer security - Wikipedia
Trusted Computing – Wikipedia
Trustworthy Computing - Wikipedia
Others you like Important to get materials from Web!!
Homework
