January 5, 2018 | By Joel Odom
The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), recently launched its "Mitigating IoT-Based DDoS" project, which seeks to automatically control network access for IoT devices to protect the devices from exploitation and to mitigate the damage they could cause if exploited. The project uses "Manufacturer Usage Descriptions" (MUD), a proposed technology that would allow a device to describe its operating characteristics to a network so that the network may limit the device's communication capabilities. If successful, this would mean that an IoT device would be harder to compromise because it could not always be accessed in an unexpected manner. It also would mean that if a device should become compromised, it could not easily be used as part of a DDoS attack because the device's host network would block the unexpected behavior. The NCCoE project currently is seeking technology vendors to participate in a demonstration that would show how MUD could provide security in a home and commercial setting.
"The internet is designed to carry arbitrary digital information and to move that information at the highest speed possible. This is because traditional computing devices run different kinds of programs, and it is generally impossible to anticipate what programs may run and what information any possible program may need to exchange. The IoT world is different. IoT devices typically perform a limited function and communicate with a limited number of endpoints. For example, an internet-connected HVAC system in a residence probably only needs to communicate with core networking features such as DHCP, a set of update servers to receive updates, and a small set of endpoints that enable smart features. The HVAC system doesn't need to communicate with arbitrary endpoints on the internet, the HVAC system doesn't need arbitrary protocols, and the HVAC system doesn't need a lot of bandwidth.
"Using MUD, a network can understand the communication needs of the HVAC system in this example and limit the endpoints that the HVAC system can talk to based on the description provided by MUD. This would make the HVAC system harder to compromise because communication with the system could not come from arbitrary endpoints. Furthermore, if the HVAC system is compromised, the network can prevent the attacker from pivoting to other systems in the home, and the network can limit denial-of-service attacks from the compromised system by dropping packets to unexpected endpoints and by limiting the bandwidth that the system can use. I think that this is a smart idea that could make the IoT world safer."
For further reading
- NCCoE "Mitigating IoT-based DDoS" Project: https://nccoe.nist.gov/projects/building-blocks/mitigating-iot-based-ddos
Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation.