Task 3.2: Security and Privacy

[Dutta, Halderman, Lafortune, Pappas, Seshia]

TerraSwarm applications will typically require continuous monitoring and aggregation of data, often including personal data about participants. For privacy reasons, people typically do not want to release more information about themselves than is strictly necessary-and they do not want aggregated data to enable additional inferences about their personal lives. Data privacy and security will be of significant concern. This task focuses on how those mechanisms can help provide security and privacy at the system level. Specifically, it leverages concepts such as differential privacy and opacity to develop practical ways of preserving diverse levels of privacy preservation. In addition, this task leverages the SwarmBox architecture to exploit locality to preserve privacy and enhance security.

A related challenge is that security of cloud data is often more difficult to achieve than it would be in systems with clear physical boundaries. As part of this task we will focus on addressing the storage security challenges associated with the use of massively distributed, highly disconnected swarm components with a more complex notion of "ownership," such as sensors that are part of a shared, public infrastructure. For actuators, the level of security required will depend on the consequences of a security breach. It will be different, for example, if the actuator is responsible for redirecting traffic than if it is responsible for appending cloud data to a distributed log.

This task explores the use of security-related technologies and techniques such as static analysis, hazard analysis, and elliptic curve cryptography to implement effective security approaches. It leverages existing research in the area of distributed storage to inform the design of cloud-based swarm applications that need strong guarantees of security despite their reliance on physically insecure infrastructure.

A new effort within this task is to develop logically isolated devices using cryptographically sound techniques. Specifically, this effort exploits virtualization layers to provide new opportunities for improving security. Today, wireless networks within the home, office, and industrial plants-like 802.11 and 802.15.4-are protected from eavesdropping by a single, shared key that provides link layer encryption. Unfortunately, a compromised node can gain unfettered access to all other resources. As the number and diversity of embedded devices within the homes, offices, and plants grow, the risk of node compromise increases. And, as some things will have the ability to actuate-door locks, coffee pots, steamrollers, and garage doors, for example-compromised nodes could easily lead to physically insecure or unsafe conditions. To mitigate the potential for harm, we will logically isolate devices using cryptographically sound techniques so that only authorized interactions between devices are permitted. Of course, since wireless is a broadcast medium, it is difficult to protect against an adversary mounting certain classes of attacks, like jamming attacks. However, we propose a different standard for security:

  1. all nodes must be authenticated,
  2. all communications between nodes must be authorized,
  3. any unauthorized communications must be discarded;
  4. all communications must be confidential,
  5. the integrity of all communications must be ensured, and
  6. it must not be possible to repudiate any communication that results in an externalized action.

We propose to explore:

  1. the extent to which such a security paradigm is viable using current embedded computing resources (e.g. by benchmarking embedded 16- and 32-bit processors);
  2. how to include cloud cryptographic resources for highly-challenged devices;
  3. how such security systems could be made easy to use (i.e. how to naturally express trust relationships);
  4. formal definition of secure interfaces between components (theme 4); and
  5. a reference implementation that can run on the TerraSwarm infrastructure and provide a guide for third party designers.