Modeling Attacks in IoT to Assist the Engineering Process

Detalhes bibliográficos
Autor(a) principal: Rodrigues, Luís Carlos Mendes
Data de Publicação: 2020
Tipo de documento: Dissertação
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10400.6/11092
Resumo: The Internet of Things is the broad name given to technologies that allow for any devices (known in this context as things) to communicate with each other as well as machines, applications, databases, among others in a seamless manner. This allows for devices in an environment such as in a home, a factory or a hospital, to interact with each other and even to autonomously perform actions based on the information they receive. This integration of technology in regular, everyday devices allows for the people that interact or otherwise are affected by them to have a finer degree of control over what is happening around them, allowing for this technology to improve other existing ones by improving their usefulness and efficiency. As a simple example, in the context of a smart home, a user can be able to manually command actions or to set conditions that trigger said actions according to his preferences. This means that things such as controlling room temperature and lighting, opening doors, ordering something when it runs out or turning appliances on, can be automatically performed when the conditions approved by the user are met. In medicine for example, Internet of Things (IoT) systems allow for the creation of more effective patient monitoring and diagnostic systems as well as resource management in general, as patients could potentially carry sensors that allow for constant monitoring thus assisting in diagnostics and in emergency situations. This last example raises an obvious and very important issue with this type of technologies, which is security. If IoT systems are not properly secured, a malicious actor could potentially access or modify private patient or hospital data as well as disable or tamper with the sensors, among other malicious scenarios that could potentially result in harm to equipment or even human lives. Given the speed at which this technology is evolving and new systems are being created and implemented, security is often seen as an afterthought, which results in insufficient or poorly implemented security measures allowing for attackers to easily disrupt the functioning or even to steal sensitive data from the system. Therefore, it is critical to perform an adequate security analysis right from the start of the system design process. By understanding the security requirements relevant to a system, it is possible to implement adequate security measures that prevent attacks or other malicious actions from occurring, thus safeguarding data and allowing for the system to perform as originally intended. The goal of this dissertation is to explore the principles behind system and threat modeling to be able to develop a prototype tool to assist users - even those with limited security knowledge - in the identification of security requirements, threats and good practices. Hopefully, this prototype should prove to be able to assist developers better define security requirements early in the system design stage, as well as including the correct defensive measures in the development stages. This prototype was developed in the context of the S E C U R I o T E S I G N project, as it integrates two other tools created in its context to assist in the identification of the requirements from information provided by the user. This dissertation produced a web application capable of handling the user inputs containing relevant system requirement and recommendations information, and then processing them in order to extrapolate the relevant system and threat modeling information. The validation process for this prototype consisted of comparing a manual system and threat analysis created by an expert, with the results obtained by volunteers using the prototype application, and verifying how correct is the analysis by the tool. The results were satisfying and the proposed objectives were successfully achieved.
id RCAP_69a925be20199e11127f0f73be05b29f
oai_identifier_str oai:ubibliorum.ubi.pt:10400.6/11092
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Modeling Attacks in IoT to Assist the Engineering ProcessInternet das CoisasModelação de AmeaçasModelação de SistemasSegurança Em IotDomínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaThe Internet of Things is the broad name given to technologies that allow for any devices (known in this context as things) to communicate with each other as well as machines, applications, databases, among others in a seamless manner. This allows for devices in an environment such as in a home, a factory or a hospital, to interact with each other and even to autonomously perform actions based on the information they receive. This integration of technology in regular, everyday devices allows for the people that interact or otherwise are affected by them to have a finer degree of control over what is happening around them, allowing for this technology to improve other existing ones by improving their usefulness and efficiency. As a simple example, in the context of a smart home, a user can be able to manually command actions or to set conditions that trigger said actions according to his preferences. This means that things such as controlling room temperature and lighting, opening doors, ordering something when it runs out or turning appliances on, can be automatically performed when the conditions approved by the user are met. In medicine for example, Internet of Things (IoT) systems allow for the creation of more effective patient monitoring and diagnostic systems as well as resource management in general, as patients could potentially carry sensors that allow for constant monitoring thus assisting in diagnostics and in emergency situations. This last example raises an obvious and very important issue with this type of technologies, which is security. If IoT systems are not properly secured, a malicious actor could potentially access or modify private patient or hospital data as well as disable or tamper with the sensors, among other malicious scenarios that could potentially result in harm to equipment or even human lives. Given the speed at which this technology is evolving and new systems are being created and implemented, security is often seen as an afterthought, which results in insufficient or poorly implemented security measures allowing for attackers to easily disrupt the functioning or even to steal sensitive data from the system. Therefore, it is critical to perform an adequate security analysis right from the start of the system design process. By understanding the security requirements relevant to a system, it is possible to implement adequate security measures that prevent attacks or other malicious actions from occurring, thus safeguarding data and allowing for the system to perform as originally intended. The goal of this dissertation is to explore the principles behind system and threat modeling to be able to develop a prototype tool to assist users - even those with limited security knowledge - in the identification of security requirements, threats and good practices. Hopefully, this prototype should prove to be able to assist developers better define security requirements early in the system design stage, as well as including the correct defensive measures in the development stages. This prototype was developed in the context of the S E C U R I o T E S I G N project, as it integrates two other tools created in its context to assist in the identification of the requirements from information provided by the user. This dissertation produced a web application capable of handling the user inputs containing relevant system requirement and recommendations information, and then processing them in order to extrapolate the relevant system and threat modeling information. The validation process for this prototype consisted of comparing a manual system and threat analysis created by an expert, with the results obtained by volunteers using the prototype application, and verifying how correct is the analysis by the tool. The results were satisfying and the proposed objectives were successfully achieved.A Internet das Coisas (Internet of Things, do inglês e abreviado para IoT), é o nome dado às tecnologias que permitem que qualquer dispositivo (que neste contexto é apelidado de coisa) comunique com outro, tal como com máquinas, aplicações, bases de dados, entre outras tecnologias, de maneira direta. Isto permite que dispositivos num dado ambiente interajam uns com os outros e que sejam inclusivamente capazes de tomar decisões de forma autónoma com base nos dados que recebem. Esta integração de novas tecnologias em dispositivos do dia a dia permite que os utilizadores tenham um controlo mais refinado sobre o que cada aparelho é capaz de fazer, aumentando assim a utilidade e eficiência dos mesmos. Alguns exemplos da aplicabilidade deste controlo adicional podem ser observados em casas inteligentes, na qual os utilizadores conseguem controlar remotamente os equipamentos da sua casa, ou até definir o seu controlo de forma automática com base em certos parâmetros determinados pelos equipamentos. Isto significa que tarefas como controlo de temperatura, luminosidade, abertura/fecho de portas, ligar ou desligar eletrodomésticos, ou até mesmo encomendar automaticamente um produto quando este termina podem todas ser efetuadas de maneira automática, quando as condições certas são verificadas. Outro exemplo poderia ser no ramo da Medicina, na qual sistemas baseados na IoT podem permitir a criação de sistemas mais eficientes de monitorização e diagnóstico de pacientes, o que acaba por acarretar benefícios a nível da gestão de recursos hospitalares, visto que os pacientes poderiam simplesmente possuir consigo sensores que faziam a sua monitorização permanente, assistindo nos processos de diagnóstico e em casos de emergência. Contudo, este último exemplo chama à atenção para o problema óbvio e muito importante com estas tecnologias, que é a segurança (ou a falta dela). Casos os sistemas de IoT não cumpram com as medidas de segurança mais adequadas, um atacante poderia potencialmente aceder ou modificar dados dos pacientes, do hospital, ou até mesmo fazer modificações no próprio equipamento. Isto seriam violações gravíssimas da segurança do sistema, que poderiam mesmo provocar prejuízos ao nível de bens materiais ou em casos extremos, de vidas humanas. Dada a velocidade com que estas tecnologias estão a evoluir, e à qual novos sistemas estão a ser desenvolvidos e implementados, a segurança dos sistemas costuma ser algo esquecida a acaba por ser dos últimos aspetos a ser considerado aquando do design dos mesmos. Isto resulta em insuficiências e falhas ao nível de segurança, o que acaba por permitir que atacantes consigam provocar alterações no funcionamento normal ou até mesmo roubar dados do sistema. É extremamente importante efetuar um bom levantamento dos requisitos de segurança que o sistema deve implementar logo desde as fases iniciais de design e planificação da arquitetura. Só quando se compreende na integra os requisitos de segurança é que é possível planear e implementar as medidas de segurança adequadas para o sistema a ser desenhado. O objetivo principal desta dissertação é explorar os princípios por detrás da modelação dos sistemas e das ameaças. Desta forma pretende-se desenvolver um protótipo de uma ferramenta capaz de assistir os utilizadores - mesmo aqueles com conhecimentos limitados na área de segurança - na identificação de requisitos de segurança e ameaças ao sistema, assim como fornecer informação pertinente para colmatar estes aspetos. Esta ferramenta deverá ser capaz de auxiliar os developers, designers e engenheiros de software com os processos de definição de requisitos e medidas de segurança preventivas, desde as etapas iniciais da planificação dos sistemas. Este protótipo foi desenvolvido no contexto do projeto S E C U R I o T E S I G N , o mesmo integra duas outras ferramentas que auxiliam na identificação de requisitos a partir de informações fornecidas pelo utilizador e que vão ser vir de inputs do protótipo aqui desenvolvido. Esta dissertação produziu uma aplicação web capaz de receber os inputs do utilizador contendo a informação com os requisitos e recomendações do sistema e a partir do seu processamento é possível obter a modelação de sistema e de ameaças. O processo de validação do protótipo aqui desenvolvido consistiu em comparar uma análise de modelação de sistema e ameaças produzidas manualmente por um perito, com as análises obtidas por voluntários através do protótipo desta aplicação web, e verificar o quão correta é a análise produzida pelo protótipo. De forma geral os resultados foram satisfatórios, tendo o protótipo sido capaz de alcançar uma análise bastante correta face à produzida pelo perito. Desta forma pode-se concluir que os objetivos desta dissertação foram alcançados com sucesso.Inácio, Pedro Ricardo MoraisSimões, Tiago Miguel CarrolauBibliorumRodrigues, Luís Carlos Mendes2021-01-28T15:48:37Z2020-11-062020-09-212020-11-06T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.6/11092TID:202576906enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-12-15T09:53:16Zoai:ubibliorum.ubi.pt:10400.6/11092Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T00:50:56.963004Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Modeling Attacks in IoT to Assist the Engineering Process
title Modeling Attacks in IoT to Assist the Engineering Process
spellingShingle Modeling Attacks in IoT to Assist the Engineering Process
Rodrigues, Luís Carlos Mendes
Internet das Coisas
Modelação de Ameaças
Modelação de Sistemas
Segurança Em Iot
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
title_short Modeling Attacks in IoT to Assist the Engineering Process
title_full Modeling Attacks in IoT to Assist the Engineering Process
title_fullStr Modeling Attacks in IoT to Assist the Engineering Process
title_full_unstemmed Modeling Attacks in IoT to Assist the Engineering Process
title_sort Modeling Attacks in IoT to Assist the Engineering Process
author Rodrigues, Luís Carlos Mendes
author_facet Rodrigues, Luís Carlos Mendes
author_role author
dc.contributor.none.fl_str_mv Inácio, Pedro Ricardo Morais
Simões, Tiago Miguel Carrola
uBibliorum
dc.contributor.author.fl_str_mv Rodrigues, Luís Carlos Mendes
dc.subject.por.fl_str_mv Internet das Coisas
Modelação de Ameaças
Modelação de Sistemas
Segurança Em Iot
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
topic Internet das Coisas
Modelação de Ameaças
Modelação de Sistemas
Segurança Em Iot
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
description The Internet of Things is the broad name given to technologies that allow for any devices (known in this context as things) to communicate with each other as well as machines, applications, databases, among others in a seamless manner. This allows for devices in an environment such as in a home, a factory or a hospital, to interact with each other and even to autonomously perform actions based on the information they receive. This integration of technology in regular, everyday devices allows for the people that interact or otherwise are affected by them to have a finer degree of control over what is happening around them, allowing for this technology to improve other existing ones by improving their usefulness and efficiency. As a simple example, in the context of a smart home, a user can be able to manually command actions or to set conditions that trigger said actions according to his preferences. This means that things such as controlling room temperature and lighting, opening doors, ordering something when it runs out or turning appliances on, can be automatically performed when the conditions approved by the user are met. In medicine for example, Internet of Things (IoT) systems allow for the creation of more effective patient monitoring and diagnostic systems as well as resource management in general, as patients could potentially carry sensors that allow for constant monitoring thus assisting in diagnostics and in emergency situations. This last example raises an obvious and very important issue with this type of technologies, which is security. If IoT systems are not properly secured, a malicious actor could potentially access or modify private patient or hospital data as well as disable or tamper with the sensors, among other malicious scenarios that could potentially result in harm to equipment or even human lives. Given the speed at which this technology is evolving and new systems are being created and implemented, security is often seen as an afterthought, which results in insufficient or poorly implemented security measures allowing for attackers to easily disrupt the functioning or even to steal sensitive data from the system. Therefore, it is critical to perform an adequate security analysis right from the start of the system design process. By understanding the security requirements relevant to a system, it is possible to implement adequate security measures that prevent attacks or other malicious actions from occurring, thus safeguarding data and allowing for the system to perform as originally intended. The goal of this dissertation is to explore the principles behind system and threat modeling to be able to develop a prototype tool to assist users - even those with limited security knowledge - in the identification of security requirements, threats and good practices. Hopefully, this prototype should prove to be able to assist developers better define security requirements early in the system design stage, as well as including the correct defensive measures in the development stages. This prototype was developed in the context of the S E C U R I o T E S I G N project, as it integrates two other tools created in its context to assist in the identification of the requirements from information provided by the user. This dissertation produced a web application capable of handling the user inputs containing relevant system requirement and recommendations information, and then processing them in order to extrapolate the relevant system and threat modeling information. The validation process for this prototype consisted of comparing a manual system and threat analysis created by an expert, with the results obtained by volunteers using the prototype application, and verifying how correct is the analysis by the tool. The results were satisfying and the proposed objectives were successfully achieved.
publishDate 2020
dc.date.none.fl_str_mv 2020-11-06
2020-09-21
2020-11-06T00:00:00Z
2021-01-28T15:48:37Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10400.6/11092
TID:202576906
url http://hdl.handle.net/10400.6/11092
identifier_str_mv TID:202576906
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799136398963376128

Registros relacionados