Optimizing System Configurations for Functionality and Security

Optimizing System Configurations for Functionality and Security

A very large number of cybersecurity solutions available today begin with security in mind. They will, for example, scan your system for vulnerabilities and identify the assets that are open to attackers. Some tools even go a step further and suggest ways to configure the system, either based on past experience or domain knowledge, such that the vulnerabilities are mitigated. Each configuration change must then be checked against the system’s intended function to ensure that the desired functionality is not lost in the quest for security. In this blog, we want to describe a cybersecurity solution of a fundamentally different nature – one that solves the inverse problem, beginning with your system’s desired functionality in mind, and then optimizing the overall configuration such that functionality is preserved while maximizing security. In so doing, this solution, developed at PARC, provides a flexible tradeoff between security and functionality, and clarifies the price paid in terms of security to achieve a given functionality.

The Perils of Misconfiguration

Modern cyber-physical systems contain a large number of interconnected devices for measuring, monitoring and controlling physical parameters – i.e. temperature, pressure, humidity, consumption of electricity or gas or water. Human lives, economies and livelihoods depend on the correct, safe and reliable functioning of our critical infrastructure. Today, devices interact in increasingly complex ways with external systems such as the electrical grid or the open internet. This increases the potential impact of attacks on such systems. It is thus critical to configure these devices, the software that runs on them, and the network that connects them in a way that maximizes security while still being able to perform the desired functions.

Misconfigured cyber systems are not only susceptible to faults but are also exploited by attackers to sabotage or access key resources. As much as 65-70% of all security-related downtime in cloud-connected critical infrastructure is attributed to misconfiguration [Nunnikhoven-2021]. Furthermore, vulnerabilities that stem from misconfiguration have been found to have a greater security impact than those unrelated to configuration (See Figure 1). To make matters worse, misconfigurations tend to remain unaddressed for a very long time – more than 300 days – before they are corrected. In many large IoT systems – such as Substation Automation Systems in the power grid – the cost of the system is driven not by the number of components but the overhead and effort needed to configure it. Addressing misconfigurations is thus a critical problem.

Toward a Configuration Security Solution

PARC researchers began working on configuration security for large IoT systems in 2017. From a technical perspective, this is a hard problem to solve. One may, with a lot of effort and based on years of experience, be able to find a secure configuration for a few interconnected devices. However, the available number of configurations for an expansive interconnected system is exceedingly large, and finding a secure configuration is tantamount to finding a needle in a haystack.

Funded by the Defense Advanced Research Projects Agency (DARPA) and Xerox Corporation, PARC developed SCIBORG, a technology that improves the security posture of a system-of-systems, by optimizing the configuration of its hardware, software and networking components. Given an initial or default configuration, SCIBORG tells a system operator which configuration parameter values should be changed, what the new values should be, why those changes should be made, and what security gains are made as a result.

SCIBORG has been evaluated thoroughly on several IoT testbeds as part of DARPA’s Configuration Security (ConSec) program. In each evaluation, unknown to the research teams, a security red team inserted vulnerabilities into the system-under-test. The performers then had to discover the vulnerabilities, address them automatically by means of configuration changes and explain the rationale behind the changes.

SCIBORG: A Technology Overview

We designed SCIBORG to include four frameworks, distinguished on the basis of their technological function.

1. The Ingestion Framework consists of mechanisms and software to ingest configuration information in various formats. It also ingests supporting information such as vulnerability databases of interest for the application being considered.

2. The Modeling Framework consists of mechanisms to turn the ingested information into a multi-layer graph. This graph encodes the functional dependencies amongst the various components of the IoT system. Furthermore, it encodes the mathematical constraints amongst the configuration parameters for these components. Finally, it encodes the vulnerabilities that can compromise or degrade the system’s assets. Crucially, the vulnerabilities are linked, i.e., exploiting vulnerability A in asset X may create a precondition for the exploitation of vulnerability B in asset Y. Here, SCIBORG extends the conventional definition of an attack surface to an “attack volume,” comprising attack paths that compromise more precious assets inside the composed system. The three graph layers have connections across them. These connections capture the fact that configuration settings must satisfy the dependency subgraph, that specific configurations create preconditions for exploitation of vulnerabilities, and that vulnerabilities degrade the functionalities expressed in the dependency subgraph.

3. The Reasoning Framework examines constraint relationships amongst the configuration parameters. At its heart is an SMT (Satisfiability Modulo Theory) solver and several other customized solvers which automatically derive an overall configuration that satisfies all functional constraints while maximizing the overall security posture.

4. The last framework is an Interactive Explainer that describes which configuration parameter settings were changed during a test run and articulates why the changes were made, e.g., whether they enabled functionality, or increased security, or conformed to a best practice, and so on.

Recognition for SCIBORG

In addition to DARPA’s continuing support, SCIBORG’s technological contributions have been recognized in the form of peer-reviewed publications in international conferences and journals. In particular, a paper describing SCIBORG’s initial technology won the Best Paper Award at the IEEE International Conference on Computer Networking and Security (CNS) in June 2020 [Soroush20CNS]. That paper described an end-to-end SCIBORG solution for the home IoT system, including evaluation results on a testbed developed by Sandia National Labs.

More recently, SCIBORG researchers showcased a scheme that allows practitioners to produce a customizable ranking of vulnerabilities for a given IoT system, along with a historical view of the prevalence and severity of the vulnerabilities [Iganibo22SECrypt]. Based on a flexible ranking scheme that is baked into SCIBORG, this approach differs from a fixed vulnerability ranking published every year by MITRE corporation. This recent work was awarded the Best Paper prize at the Security and Cryptography Conference (SECrypt) in July 2022.

From Research to Industry

AS SCIBORG has matured, researchers at PARC have begun to explore the commercialization potential of this technology in various application areas. Independent validation of SCIBORG’s promise came from DARPA, which funded the original research on SCIBORG. As the ConSec program drew to a close in early 2022, DARPA awarded PARC with additional funding to explore commercialization hypotheses.

Researchers at PARC are currently engaged in developing a proof of concept which can be used to demonstrate the use of SCIBORG technology at scale.

For more information

To find out more about SCIBORG, please refer to the following resources:

[Nunnikhoven-2021] M. Nunnikhoven, The Top Worry In Cloud Security for 2021, January 13, 2021.

[Soroush20CNS] H. Soroush, M. Albanese, M. A. Mehrabadi, I. Iganibo, M. Mosko, J. Gao, D. Fritz, S. Rane and E. Bier, SCIBORG: Secure Configurations for the IoT Based on Optimization and Reasoning on Graphs, IEEE Conference on Networking and Security (CNS 2020), Virtual Conference, June 2020, Best Paper Award.

[Iganibo22SECrypt] Iganibo, I., Albanese, M., Mosko, M., Bier, E. and Brito, A.E., 2021. Vulnerability Metrics for Graph-based Configuration Security. In SECRYPT (pp. 259-270), Best Paper Award.

Header image credit: Shubham Dhage