Software Engineering Institute

August 19, 2020—Commodity Internet-of-Things (IoT) devices can add an array of sensing functionality to an organization’s IT infrastructure, but notoriously poor IoT security can put a network at risk. Kalki, a novel, software-defined IoT security platform, can allow IoT devices that are not fully trusted or configurable to be integrated into networked systems. It can even provide new capabilities for keeping networks and physical assets safe. The SEI’s Software Solutions Division (SSD), in collaboration with Carnegie Mellon University’s CyLab, recently released the source code for Kalki to the community.

Devices from thermostats, to autonomous vehicles, to traffic signals have been outfitted to sense or control something about their physical environment and communicate over the Internet. Estimates of the number of connected IoT devices range in the tens of billions.

The explosion of IoT devices onto the market has led their vendors to focus on functionality and scale at the cost of scattershot security relegated to embedded systems with limited resources. The security of IoT devices is not standardized, and supply chains cannot be trusted. “These different characteristics make it very challenging to secure IoT devices,” warns Sebastián Echeverría, an SSD senior engineer and lead researcher on the Kalki project.

IoT devices have been the root of many recent attacks and vulnerabilities. In 2018, Princeton researchers demonstrated that high-wattage IoT devices could be manipulated to bring down the power grid. Last year, a Mirai botnet was found on routers and other IoT devices. Just this summer, the Ripple20 series of zero-day vulnerabilities was found on a common TCP/IP software library embedded in millions of IoT devices.

The Department of Defense (DoD) is already incorporating IoT devices into systems requiring high assurance, such as supervisory control and data acquisition (SCADA) systems for physical plants. Plugging vulnerable devices into tactical systems, medical devices, and critical infrastructure deployments demands security that IoT devices themselves cannot provide. “Since it’s very hard to have security on the devices themselves, and there are a lot of devices that do not have any sort of security,” said Echeverría, “moving that layer of security to the network is a good strategy for supporting IoT devices.”

Kalki, named after the avatar of the Hindu god Vishnu that fights filth and brings purity, is a software-defined IoT security platform that sits between IoT devices and the network. Kalki uses network function virtualization (NFV) to implement capabilities in software that are traditionally implemented in hardware such as gateways and firewalls.

Unlike the broad, all-or-nothing security functions of firewalls, Kalki provides fine-grained monitoring and protection of each device with a custom set of what the Kalki team calls µmboxes, or micro-m-boxes. These virtualized security functions are designed for the specific vulnerabilities, traffic, and sensors of each device. Such atomized protection allows Kalki to isolate a single device without affecting any others.

Nearly any kind of security measure can be built into a µmbox. “For example, if a device doesn’t have any sort of authentication, you can have a µmbox to add a layer of authentication to that device,” said Echeverría. “This is very transparent for the system. You just package one of these µmboxes and tie it in.”

The µmbox approach sprang from research led by Tianlong Yu and others at the Carnegie Mellon University (CMU) School of Computer Science. They champion a change to the existing enterprise security approach of system-spanning, host-based solutions such as firewalls, antivirus, and software patches. In the face of the heterogeneous and ever-evolving vulnerabilities of IoT devices, these broad, traditional measures cannot isolate security enforcement to particular devices, lack the context to customize security policies per device, and are not agile enough to respond to security events.

“We need to have fine-grained, context-aware, and isolated policies for individual endpoints in the network,” said Vyas Sekar, professor in CMU’s Department of Electrical and Computer Engineering and a partner on the Kalki project. “These µmboxes are essentially the logical extreme of today’s network gateways and middleboxes: tiny gateways or smart firewalls that guard every single endpoint.”

The µmboxes analyze the IoT device traffic for cyber attacks. The platform itself detects and synthesizes the devices’ physical-state variables, an ability that can monitor for kinetic attacks. For example, if it’s after business hours, a motion sensor reports movement, and the lights report being off, Kalki can see those combined states as a potential physical intrusion and alert a human operator.

Adding a new device model to a network requires a human Kalki developer to research the device’s vulnerabilities, understand its application programming interface (API), and create new µmboxes. “In theory, that’s something that an agency could do themselves,” said Echeverría. “We’ve tried to make the platform also very well documented, user-friendly, and very simple to be extended.” Future research may seek to partially automate this manual process by using artificial intelligence and machine learning to research devices and build custom security policies.

Two years of design, development, simulation, and red-teaming exercises have led to the release this July of the Kalki source code on the SEI’s GitHub site. The release enables others to try the comprehensive, flexible, and highly configurable system for themselves and even extend it.

The next step for Echeverría, Sekar, and their colleagues is to continue to refine the user interface and simplify the integration of new devices and security policies. The team also seeks partners to pilot Kalki in a testbed deployment. “Kalki will allow the DoD and other organizations to connect the latest and most advanced commercial IoT devices to their trusted networks,” said Echeverría, “ensuring that both their networks and their devices will be protected from malicious attackers.”

Experiments at the SEI have shown Kalki to be resilient against all anticipated attacks, scalable to support dozens of devices with a single Kalki implementation, and able to shift security postures in less than one second, even in the face of simulated persistent attackers.

“Kalki is an end-to-end system with built-in trustworthy guarantees that’s tackling a fundamentally hard problem of IoT security,” said Sekar, speaking about the many collaborations and iterations that led to July’s source-code release—and the work still to come. “We want to have extensible policies and rigorous security guarantees, avoid subtle problems, and get good performance on low-cost hardware. This is like the Holy Grail for network security.”

The full Kalki team includes the SEI’s Echeverría, Chris Grabowski, Keegan Williams, Grace Lewis, Craig Mazzotta, Marc Novakouski, Kyle O’Meara, and Amit Vasudevan. The CMU team members are Sekar, Matt McCormack, and Grace Liu.

Download the Kalki source code from https://github.com/SEI-TAS/kalki-node-setup/wiki. To learn more about Kalki, read Echeverría’s blog post, and check out his 2019 Research Review video, presentation, and poster.