GrammaTech proposes AMBER (Autonomic Monitoring [and Mitigation] with Blockchain-Enabled Reporting), a framework to harden Internet of Things (IoT) devices against cyber-attacks. AMBER builds on existing GrammaTech technologies to provide an end-to-end security solution, including (1) a framework for automatically generating and installing runtime verification policies and attack mitigation techniques on devices; (2) a distributed, blockchain-based logging framework to encode and report perceived attacks across devices, supporting secure, redundant real-time reporting and forensic playback; and (3) a Reasoning Engine (RE) server that performs offline forensic and remediation work to mitigate future attacks, as well as reporting attacks to administrators and analysts. Commercial, off-the-shelf devices increasingly incorporate network connectivity, leveraging IoT-style deployments to support remote monitoring and control. Unfortunately, many of these devices lack the software sophistication and resilience to stave off cyber-attacks. As a result, attackers use them to compromise networks and impede operations. AMBER will provide increased device resilience against the entire attack spectrum. For example, consider an AMBER deployment in a logistical staging warehouse featuring IoT connected devices, including IP-based security cameras, GPS-enabled delivery trucks, and HVAC controllers. AMBER will embed monitors into the devices firmware using binary instrumentation, in order to watch for anomalous behavior at runtime. Suppose an attacker uses a known exploit against an IP-based security camera to retrieve credentials, including passwords (such as the real-world vulnerability CVE 2013-1605). When this attack occurs, AMBERs embedded firmware monitors will identify the anomaly, take action to prevent the attack (e.g., disable connections from the attackers IP address), and log the attack and response as part of the DLT blockchain, which is then propagated across the entire staging warehouse. When any AMBER-secured device containing this blockchain synchronizes with the RE server, it will report the updated blockchain, informing the server of the attack and the local mitigation actions. The RE server will report this attack to the local administrator, as well as using a combination of planning and ML to secure the cameras firmware against future attacks of the same kind. In summary, AMBER is a holistic monitor-and-response system that will operate across the Defense Logistics Agencys (DLA) cyber-infrastructure to defend against cyber-attacks, preserve forensic attack information in a distributed, real-time and replayable way, and use this forensic information to prevent similar attacks. Leveraging GrammaTechs existing binary rewriting and autonomic technologies, AMBER will identify, assess, report, and mitigate cyber-attacks against devices with varying capabilities, architectures, and size, weight, and power (SWaP) constraints.
