Shahzad Bhatti Welcome to my ramblings and rants!

Embedded Security: Top Ten Myths

by Mukesh Lulla, TeamF1

Perhaps no other area of embedded technology gets as much visibility today as security. After all, if .connectivity. of modern embedded systems was the wave of the last decade, it.s no surprise that .secure connectivity. is becoming an almost inescapable requirement as networks come of age. The prevalence of wireless, remote management, storage, and mobile technologies has reinforced the urgency of this requirement and sparked renewed interest in not just protection of data-in-transit, but also data-at-rest.

State of the Onion

As prolific as the exhortations to protect embedded devices are, the current state of security in many embedded applications still hovers somewhere between confused complacency and intimidated inaction.

.Security is a multi-dimensional problem., insist some pundits while others claim, .simplicity is the key to practical security.. .Think of security as an onion with layers and layers of defenses., more experts chime in. .Layers serve as obfuscation and give you an illusion of security., retort the critics. Confusion hath now made his masterpiece!

While the high priests of security duke it out and management, sniffing the fumes of unrealistic end-customer demands, wants nothing short of an absolute guarantee of security, we engineers are frequently left to sort out what is and what is not feasible. When it comes to security, conventional wisdom just isn.t!

Hit or Myth

Muddying the waters further are some widely held misconceptions. We cannot resolve the apparent contradictions surrounding the best practices for secure devices without first clearing this fog, so we.ll start by dispelling ten of the more egregious myths surrounding this subject:

1. Myth #10 : We aren.t the likely target of an attack

   This is the most pernicious myth of all and takes various forms: .The data on/from my device is useless to others, ergo I don.t need any security.. Or, .who would ever want to spend the effort to hack my system?.. But with the proliferation of easily accessible hacking tools, advanced crackers aren.t all you need to worry about-a whole army of kiddie-script writer wannabes is waiting for their 15 minutes of fame.

2. Myth #9 : My embedded system.s security has never been broken, so it.s all we need

   Sure, that.s like saying: .I intend to live forever – so far, so good.. Enough said!

3. Myth #8 : My device is password .protected.

   Well, password protection at least implies awareness of a requirement for security. However, passwords are usually sent over a network in clear-text and are easily captured by packet sniffers on intermediate network nodes. In most cases, they provide only a deceptive veneer of security. If the password scheme protects remote management or access to the device, an attacker could potentially gain complete control of the device with impunity. Even if passwords were sent over a secure channel, they may still be susceptible to dictionary attacks.

4. Myth #7 : Security protocol XYZ is the silver bullet

   Once convinced that real security is needed, many users start looking for a quick fix believing that some single well-known security protocol is all that their device needs. One common manifestation: .My device has a firewall, so I don.t need to worry about security threats.. Such delusions of adequacy may blind one to serious vulnerabilities in the system such as lack of protection for network data.

5. Myth #6 : Two security protocols are better than one

   This is only a half-myth, but is so frequently abused that it deserves attention. Belief that there is no one panacea for security convinces some to take it to the next logical step-back up the truck and load up on it. After all, more security can.t be worse than less security. But what.s forgotten in this exquisite distillation of logic is that security is weakest at the seams, so adding multiple security layers to an embedded device without thinking it through is like putting three dead-bolts on a door whose door jamb is not anchored to the wall. Security should be a strategy, not a bunch of protocols.

6. Myth # 5 : Security is the same as encryption

   This myth and its corollary-.cryptography is the same as encryption.-are byproducts of buzzword hype. Certainly, encryption is a cornerstone of information security, but consider this fallacy: what if an encrypted (and thus, confidential) connection goes not to the entity you expected to communicate with, but to an unauthorized one? In other words, you may have a completely secure channel, so no one else can listen in to your conversation with. an attacker! Security needs to include authentication (identity verification), integrity (tamper-resistance), and various other techniques to thwart attacks. These are typically based on cryptographic operations, which include but are not limited to encryption.

7. Myth #4: More .bits. mean stronger security

   Yet another fallacy related to encryption is that more .bits. of encryption mean higher security strength. However, like all data, the impact of the .bits. (usually key-size or block-size of encryption algorithms) only depends on the application that uses it-in this case, the encryption algorithm. Assuming that 256-bit RC-4 is stronger than 128-bit AES encryption is like comparing apples to oranges, not to speak of the watermelons that elbow their way in when 1024-bit public-keys (RSA, DSA) are thrown into the equation.

8. Myth # 3 : Security will get in the way of my application

   Security is a subject that turns many embedded developers off. The resource requirements (code size, memory usage, CPU .horsepower.) for cryptography are often formidable by embedded standards. Even if that were reconciled, developers often think that security detracts from their productivity by making things difficult. However, a well-designed security solution that leverages hardware / software optimally, and provides a common framework to secure different aspects of an embedded application can be less intrusive than one may imagine.

9. Myth #2 : I can do it better

   Embedded development frequently revolves around the efficiency of solutions developed in-house because .No one understands my systems as well as I do.. Security protocols, in particular, are viewed as laden with more baggage than a Samsonite factory, so some developers concoct small-footprint, lightweight implementations without the .bells and whistles.. If this is done without a full understanding of why a protocol required it, the bell or whistle that was left out might spell the difference between strong and weak security, and worse, may not be exposed until it.s too late.

10. Myth # 1 : A proprietary implementation is more secure than an open one

    It is a human tendency to equate secrecy with protection of sensitive information and this reasoning has been used to promote some really arcane security implementations. However, if secrets extend beyond the realm of replaceable secret keys to the use of secret methods and implementations, this can be a major cause of brittleness. .Security by obscurity. flies in the face of good security practices. Core security-especially the security protocol and cryptography-should be based on code available for public review. This ensures a deeper analysis of any vulnerabilities than would be possible with any single company.s proprietary code which claims compactness and is written partially in .high-performance. assembly that looks like line noise, just so that .no one can break into it..

Deconstructing Security

Achieving strong security is indeed a multi-dimensional problem, but the key is to architect the system using a cohesive approach to security, rather than stitching together a solution from various pieces-remember, the seams are always the most vulnerable. Inadvertent vulnerabilities resulting from the use of a well-designed crypto algorithm in an application it was never intended for, may be worse than choosing a weaker algorithm and knowing the consequences upfront. The .layers-of-onion. model of security can provide defense in depth, but only if the layers are standard components put together in a consistent manner so as to complement each other.

It is important to recognize the different facets of the embedded security problem first and make sure all relevant ones are considered in the solution. One way to divide the security requirements of an embedded system is to analyze three areas:

Data Security-security of raw data residing on the device e.g. configuration files, statistics, or even databases.

System Security-security of the embedded device as a networked node, or security of the perimeter of a network of devices.

Network Security-security of the data moving between a device and other systems.

Of course, a heavy-gauge steel box welded shut is a very secure container indeed, but not a very useful one. So it is important to remember that a secure system does need to allow access to AUTHORIZED users. This ties in to the concept of identity or more specifically, proving that an entity is who it purports to be-Authentication, which is another important dimension of security that needs to be analyzed.

An embedded device that integrates these elements of security in a seamless manner and complements them with consistent system-wide security policies would be a truly secure device, not just one believed to be secure. After all, while optimism has its place in the world, it has no business being a part of your device.s security strategy.

Enterprise Service Bus using JSR 208: JavaTM Business Integration (JBI)
ESB will supercede traditional integration solutions offered by companies such as WebMethods and SeeBeyond. Bea plans to offer QuickSilver, Sonic Software, Cape Clear, SpiritSoft, and Celtix (based on IONA’s Artix).

Booch Presentation on Complexity

Complexity of the problem domain
Difficulty of managing the development process
Fluidity of software
Fundamental challenges of discrete systems
Volume of requirements
Presence of competing/contradictory requirements
Non-functional requirements that push the limits of software
Requirements churn
Difficulty of communicating requirements
Impedance mismatch among stakeholders
Unrestrained external complexity
Software drag

Size up
Increasing database size by a factor of x increases query response time by at most a factor of x.

Speed up
Increasing the capacity of your hardware configuration by a factor of x decreases your query response time by no less than a factor of x.

Scale up
Increasing the workload on your system by a factor of x while maintaining response time and/or throughput requires increasing your capacity by a factor of no more than x.

Scale out
Increasing workers by a factor of x requires replicating your capacity by a factor of at most x.
http://www.intelligententerprise.com/db_area/archives/1999/991602/scalable.jhtml

Fluidity of software
Software springs from pure thought and is intrinsically malleable, yet it can be made manifest in our hardware systems, limited only by our vision (and certain immutable laws of physics and software)

Fundamental challenges of discrete systems
Non-continuous behavior of discrete systems
Combinatorial explosion of states
Corruption from unexpected external events
Lack of mathematical tools and intellectual capacity to model the behavior of large discrete systems

Essential complexity
.Einstein argued that there must be simplified explanations of nature, because God is not capricious or arbitrary. No such faith comforts the software engineer. Much of the complexity that he must master is arbitrary complexity.. [Brooks]
We may master essential complexity, but we can never make it go away.

Attributes of a complex system
.Frequently, complexity takes the form of a hierarchy, whereby a complex system is composed of interrelated subsystems that have in turn their own subsystems, and so on, until some lowest level of elementary components is reached.. [Courtois]
Hierarchic systems are decomposable if they can be divided into identifiable parts; they are nearly decomposable if their parts are not completely independent. [Simon]
The choice of what components in a system are primitive is relative arbitrary and is largely up to the discretion of the observer of the system.
As systems evolve, objects that we once considered complex become the primitive objects upon which more complex systems are built.
Intracomponent linkages are generally stronger than intercomponent linkages. This fact has the effect of separating the high-frequency dynamics of the components . involving the internal structure of the components . from the low-frequency dynamics – involving interaction among components. [Simon]
Hierarchic systems are usually composed of only a few different kinds of subsystems in various combinations and arrangements. [Simon]

Decomposible and nearly-decomposible systems

A few articles and useful links:
The Free Lunch Is Over: A Fundamental Turn Toward Concurrency in Software

AOSD 2005

AOP with Metadata: principles and practices (Ramnivas Laddad)

Guideline: don’t use annotations when you can do without them. Eg. you want to capture all RMI operations. You can write a simple, stable pointcut: execution(* Remote+.*(..) throws RemoteException) – no need for an annotation here. Likewise you can write a stable pointcut for all thread-safe calls to the Swing library – you don’t need annotations for this either.

Not sure if Ramnivas is going to mention this, but there are also expressibility limitations with annotations – you can’t say for example “all calls to x within y” since you can’t annotate calls (you can say “all calls to a method with an annotation X made within y” – but that’s a slightly different thing). There are other examples too…

A second guideline from Ramnivas: employ aspect inheritance to defer pointcut specification to a sub-aspect. Now write one pointcut per “subsystem” this will be much easier than trying to write a single global pointcut that works across the whole system.

A third guideline – make use of existing annotation types – eg. EJB

A fourth guideline – if you create annotation types, use names that describe a property of the annotated element, not an instruction to some processor. Eg. @ReadOnly, not @ReadLock, use @Idempotent, not @RetryOnFailure, and so on.

A final guideline – wisdom comes with experience: start with something and refactor as you go along.

Ramnivas is now discussing whether metadata-fortified AOP harms “obliviousness”. His argument is that it does not if the guidelines are followed.

The final flourish in Ramnivas’ talk. You could have an aspect that matches on annotated methods… if you don’t want to annotate them individually, you can use an inner aspect (participant pattern) to declare them…

Bohrbug Vs Heisenbug
Bohrbug (Niel Bohr) – retrying will result in the same error.

Heisenbug (Werner Karl Heisenberg) – retrying may or may not result in the same error

1. Omission Failure: abscence of response
2. Timing Failure: system does not provide result within the specified timeframe (early timing failure/late timing failure)
3. Response Failure – system provides incorrect value
4. Crash Failure – no further responses until reboot

Principles of design

1. Modularity
2. Fail fast / heartbeat
3. Independent failure modes
4. Redundancy/repair – hot swapping
5. Elimination of single point of failure – redundancy

Pair/Spare approach — provide two instances of critical resources and ability to swap one out.

Running Code and Regular Releases

1a) Releasing a protoype when only 20% of the functionality is complete, was a significant predictor of both reduced defect-rate and increased productivity.

1b) Both formal design reviews and regression tests were significant predictors of reduced defect-rate (but not productivity).

1c) Daily builds were a significant predictor of increased productivity (but not reduced defect-rate).

1d) There was no significant association between either defect-rate or productivity, and dividing a project into subcycles (which developed a subset of the final functionality).

Conclusion: Get a prototype into the hands of customers asap.

http://www.cc.gatech.edu/classes/AY2005/cs6300_fall/papers/maccormack

2a) One-third of the variation in product quality was explained by how quickly customers were given the first beta version.

2b) The data showed no relationship between the final product quality and the number of beta releases.

Conclusion: “Get a low-functionality version of the product into customers’ hands at the earliest possible stage…”

http://www.sloanreview.mit.edu/smr/issue/2001/winter/6/

Posted by: Isaac Gouy at February 11, 2005 11:59 AM

JINI

 Mobile computing > continually changing topology
 Edge networking > no administrator access
 Utility computing > dynamic system re/provisioning
 Dynamic clustering > changing cluster configuration
 Large-scale distribution > constant partial failure
 Dynamic integration > unpredictable service availability
 Ad-hoc networking > spontaneous assembly
 Workflow/Msg switching > loose, asynchronous coupling
 Compute Grid > dynamic scalability
 
 RPC Systems require :
 > The client to know who it is calling
 > The client to know where the server is
 > The client and server to be active at the same time
 > The client and server to agree in detail on what form the
 call will take
 > The client and server to agree in detail on how the call
 will be made
 
 
 Where to Use Spaces
 Flow of objects
 > Workflow
 > Dataflow
 Coordinating loosely coupled collections of
 processes
 > Allows components to come and go
 > Allows components to change
 Don't use where you need
 > A file system
 > A database (object or relational)
 
 Security Valuation: Spaces Style
 Valuate set of fixed income securities
 > Break work into small chunks
 > Write an entry for each chunk into the space
 > Wait for results to come back
 Server process loops
 > Taking valuation requests
 > Executing each request, writing back results
 
 
 public class Task implements Entry
 public String clientID;
 public Task() {}
   public Entry execute() {
     throw new UnsupportedOperationException();
   }
   public long resultLeaseTime() {...}
   }
 public class ValuationTask extends Task {
   // public String clientID;
   public InitialConditions data;
   public ValuationTask() {}
   public Entry execute() {
     ValuationResult result = new ValuationResult();
     result.clientID = clientID;
     result.value = data.valuate();
     return result;
   }
   public long resultLeaseTime() {...}
   }
 
 Server
 ValuationTask tmpl = new ValuationTask();
 while (true) {
   ValuationTask task = (ValuationTask) space.take(tmpl, null, Long.MAX_VALUE);
   Entry result = task.execute();
   if (result != null) space.write(result, null, task.resultLeaseTime());
   //if (result != null) space.write(result, null, task.leaseTime());
 }
 
 Client
 int count = 0;
 while (i.hasNext()) {
 ValuationTask task = new ValuationTask();
 task.clientID = "jmcclain";
 task.data = (InitialConditions)i.next();
 Lease l = space.write(task, null, 3600000)
 lrm.renewFor(l, Lease.FOREVER, null);
 count++;
 }
 ValuationResult tmpl = new ValuationResult();
 tmpl.clientID = "jmcclain";
 for (int i=0; i Authentication
 > Integrity
 > Confidentiality
 > Quality of service
 Use constraints (with Java policy) to specify
 > What a Subject can do
 > What a Subject can't do
 > What a Subject must do
 
 
 The Secure Remote Call Model
 Obtain a proxy from somewhere
 Perform 'proxy preparation'
 > Verify that the proxy can be trusted
 > Attach constraints to the proxy
 > Grant necessary permissions to the proxy
 Make remote calls through the proxy
 
 
 Jini Extensible Remote Invocation
 > RMI/JRMP ('1.0')
 > RMI/IIOP ('1.0B')
 > Jini ERI ('2.0')
 > Kerberos (Java GSS)
 > JXTA (jini.org project)
 > UDP (experimental)
 
 public interface JavaSpace {
 Lease write(Entry entry, Transaction txn, long lease)
 throws TransactionException, RemoteException;
 Entry read(Entry tmpl, Transaction txn, long timeout)
 throws UnusableEntryException, TransactionException,
 InterruptedException, RemoteException;
 Entry take(Entry tmpl, Transaction txn, long timeout)
 throws UnusableEntryException, TransactionException,
 InterruptedException, RemoteException;
 EventRegistration
 notify(Entry tmpl, Transaction txn,
 RemoteEventListener listener, long lease,
 MarshalledObject handback)
 throws TransactionException, RemoteException;
 Entry readIfExists(Entry tmpl, Transaction txn,
 long timeout)
 throws UnusableEntryException, TransactionException,
 InterruptedException, RemoteException;
 Entry takeIfExists(Entry tmpl, Transaction txn,
 long timeout)
 throws UnusableEntryException, TransactionException,
 InterruptedException, RemoteException;
 long NO_WAIT = 0;
 Entry snapshot(Entry e) throws RemoteException
 }
 
 
 
 Exporter Configuration
 example.sunw.service {
 ..............
 private endpt = SSlServerEndpoint.getInstance(0);
 private constraints = new BasicMethodConstraints
 (new InvocationConstraints
 (new InvocationConstraint[]{Integrity.YES},
 null) );
 private ilFactory = new ProxyTrustILFactory
 (constraints,
 ServicePermission.class);
 serverExporter = new BasicJeriExporter
 (endpt, ilFactory);
 ..............
 }//end example.sunw.service
 
 Proxy Preparer Configuration
 example.sunw.client {
 ..............
 private verifyTrust = true;
 private constraints
 = new BasicMethodConstraints(...);
 private dynamicPermissions
 = new Permission[] {...};
 servicePreparer
 = new BasicProxyPreparer(verifyTrust,
 constraints,
 dynamicPermissions);
 ..............
 }//end example.sunw.client
 
 
 
 Refinements
 Wrap operations in transactions
 Priorities
 Create a FIFO
 > Push data structure logic into the space also
 Audit trails
 Status
 Dependent tasks
 Fixed function server nodes
 
 
 
 Future
 Community currently working on extension to
 spaces
 > Batch write and take
 > Exhaustive read
 > Also fills roll of batch read
 > New event
 > New queries support multiple templates
 Should make space better at multicasting
 Batch/multi-template take should help various
 compute server scenarios
 
 
 GigaSpaces http://www.gigaspaces.com
 IntaMission http://www.intamission.com
 Blitz - http://www.dancres.org/blitz
 
 

More papers on Aspected Oriented Programming/JFormDesigner
Jini: Out of the Bottle and Into the Box

High availability Tomcat

iptables -t nat -A PREROUTING -p tcp -d lo –dport 80 -j DNAT –to 127.0.0.1:8081
LoadModule jk2_module modules/mod_jk2.so
APACHE2_OPTS=”-D JK2″

Murphy’s Law and Open Source Software Development

Web services programming tips and tricks: Improve interoperability between J2EE technology and .NET, Part 1

Review of 2004: Bruno Souza to Sun – “Stop Saying ‘Our Implementation Is Open Source,’ It Is Not”

Introducing the Reflexive User Interface Builder

OnJava Top articles

Use continuations to develop complex Web applications

Struts Action

Working with Hibernate in Eclipse

Holiday Party Guide to Patterns

Zen and the Art of Aspect-Oriented Programming

Ruby Gardens

Refactor dynaop Factories using dynaop

Dynamic AOP PDF

AspectWerkz PPT

AspectWerkz

Second-generation aspect-oriented programming

Zen and the Art of Aspect-Oriented Programming

Futures and Concurrent Programming (Part 1)

Future Java 1.5

Unbreakable Build

Developers should never build

MasterJ2EE Oracle

Yet Another 2005 Prediction List

Performance Tips PDF

Struts ActionMapping

Mixin Inheritance PDF

 Mixins
  Class parametrized by a superclass
  A mixin applied to a class return a class with
 mixed-in behavior
  Reuse functionality orthogonal to inheritance
  Implementation: based on single inheritance
 linearisation
 
 Mixin inheritance
  Mixin inheritance is an approach that avoids many
 of these multiple inheritance problems
  Mixins are combined by using the regular single
 inheritance operation
  Mixins are always applied one after the other
 
 Implications
  Super is late bound!
  This is only at composition time that super will
 identify the right class.
  A mixin can be mixed in several classes
  Super refers to different classes!
  Similar to call-next-method (CLOS, Dylan)
 
 
 Mixin Inheritance Limits
  Implicit conflict resolution
  Surprising behavior
  Composite entity is not in full control
  Dispersal of glue code
  Fragile hierarchies
 
 
 Traits
 Groups of methods
  Within single inheritance
  Supporting construction of class based on building bricks
 
 How are Traits Used?
  Traits are the behavioral building blocks of classes
  Class = Superclass + State + Traits + Glue methods
 
 

Mixin: Multiple Inheritance in Java