Soteria: a specification based IDS/IPS

What is it?

Stemming from Greek mythology, Soteria is the greek goddess of safety, salvation, and deliverance from harm. As this system was designed to protect residential networks, the name was well fitting.

The project found within this site is a specification based IDS/IPS with the aim of reducing the spread and impact of IoT botnets by blocking malicious outbound traffic from a compromised device. It is a Major Qualifying Project submitted to the faculty of Worcester Polytechnic Institute in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science.

Soteria is reliable - Our system needed to be able to be started and stopped many times without issue. Beyond that, as it is a security project, it needs to be able to maintain the security of the system and be robust in that regard.
Soteria is efficient - As our system is functioning on a routing level, it needs to be able to not weigh down the existing low resource systems found in most residential routers.
Soteria is scalable - this system was designed to be implemented by multiple users, manufacturers and third party security providers.

Learn more

How to build and use it

Middlebox

This system is built with the Rust programming language and the Cargo project manager. The main way that they program will be built, run, and tested is via Cargo.

First change to the middlebox directory that contains the Cargo project and the Cargo.toml file:
cd middlebox

Install the following dependencies with Cargo:
cargo install diesel_cli --no-default-features --features postgres

In order to build the program from the terminal:
cargo build

In order to build and then run the program from the terminal:
cargo run

In order to build and run the unit and integration tests from the terminal:
cargo test

If you want to have different output printed to the screen export either INFO, DEBUG, or ERROR to the RUST_LOG environment variable.

The INFO flag will print information about the threads entering and leaving their loops and if a new policy has been applied for a client.
export RUST_LOG=INFO
The DEBUG flag will print infromation about the amount of bytes recieved by the client, if the signature is verified, data being sent between threads, and data being pulled from the datastore.
export RUST_LOG=DEBUG
The ERROR flag will print any errors that do not stop the program execution from running.
export RUST_LOG=ERROR

More information about using Cargo can be found at https://doc.rust-lang.org/cargo/index.html

Client

As the client did not have as many performance requirements as the middlebox, it was decided to build the project in Python 3, as there is a lot of library support for performing a variety of tasks. The first thing needed to get the client up and running is Python3. Real Python has outlined a simple guide to install it on a variety of operating systems at https://realpython.com/installing-python/. Once Python 3 is installed, the user needs to create a virtual environment. Virtual environments allows users to create their own isolated site directories, such that only the required packages and nothing more needs to exist in the environment. To create a virtual environment, type python3 -m venv /path/to/new/virtual/environment. Pip is the prefered installer program. Starting with Python 3.4, it is included by default with the Python installation. Once the environment is created, you need to source the environment. This is a way of loading into the enviorment with the required packages such that when you run the python scripts they will work as desired. this is done by typing $source environment_name/bin/activate. To unsource the environment, type $deactivate. While in the environment, there are a few packages that need to be installed. To make it simple for the user, we make a requirements.txt file that will tell pip which packages to install. To install the packages, type pip install -r requirement.txt. As a note, pip is installed by default after Python version 3.4. Once this is done, running the project can be done by typing python3 -m iot_client_sim. This will run the main.py file which will then trigger trigger the normal_traffic.py and send_advertisement.py on regular intervals.

How it works

Middlebox

Advertisements

The advertisement thread runs from the advertisement.rs file. This thread will infinitely loop, recieveing connections and processing them. The code will check if it has recieved a policy with a valid certificate. If it has, the new policy will be added to the database or updated if the reviision number of the new polcicy is higher than the current policy. If the certificate is not valid or the revision nunmber is lower, the new policy will not be added to the database. Both of these two conditions together protect our system from Man-in-the-middle attacks and replay attacks.

Firewall

TLS Interception

The middlebox receives TLS key information in SSLKEYLOGFILE format transmitted to it by the client. The key information is fed to Tshark, which decrypts the HTTPS connection. Tshark tells our middlebox code the contents of the HTTP host header, which is then used for enforcing firewall policy.

The decryption process occurs periodically. Every ?? milliseconds any HTTP host headers from the last ?? milliseconds are obtained. Ideally we would want the decryption to happen in real-time but we did what we could for this proof-of-concept project.

Centralized Policy Manager

Client

The client’s primary goal is to simulate normal traffic and send advertisements. Utilizing the Tox tool with thePyLint and Flake8 plugins, the team was able to ensure code is standardized and will run without problems from multiple developers. Within the client code, there are three primary files that get run. The first file is normal_traffic.py. This file is responsible for generating normal network traffic outlined below. The second file is send_advertisement.py. This file is responsible for sending the multicasted advertisement. The final file is a __main__.py. This file is responsible for running both normal_traffic.py and send_advertisement.py. It first creates a thread for each file. After that, it will run normal_traffic.py on every three second interval and send_advertisement.py on every five second interval. This timing allows for the there to be non-collisions, near collisions, and collisions within the network.

Why we built it?

As consumer home automation devices are rapidly gaining popularity, more and more examples exist of these devices being compromised at scale to create large botnets. While it would seem obvious that security is a priority for device manufacturers, that is not always the case. This project was design to have the ability to alert the owner of compromised IoT devices so that they can take remedial action. Beyond that, it is able to to alert the manufacturer of compromised IoT devices so that the manufacturer can have increased awareness of vulnerabilities being exploited in the wild. Finally, we expect that with adoption, it will help prevent further IoT device exploitation’s given the increased awareness on the manufacturer’s behalf.

If you would like to learn more about this project, please feel free to check out our research paper at the button below:

Research Paper

Meet the Team

Matthew Hagan

Matthew Hagan is a senior double major in Computer Science and Electrical/Computer Engineering with a concentration in Cyber Security. Functioning as the project manager, he was primarily responcibple for motivating the project and ensuring that the team was able to meet the desired deadlines. Beyond this, he was responsible for the client code, cross compilation efforts, OpenWRT router and WAP setup, user notifications on the middlebox, parts of the diesel database, large sections of the paper, and this website.

To learn more about Matt, please feel free to visit his Github linked below or to shoot him an email using the buttons below:

Github
Email

Ryan LaPointe

Lorem ipsum nisl sed cursus magna et amet veroeros. Sed phasellus malesuada quis orci. Pellentesque eget consequat.

Github
Email

Peter Maida

I’m pursing a masters degree at WPI. I am interested in cybersecurity and the defense sector. My favorite programming language to develop in is Java, but I have had experience with C, C++, Python, and Rust. Some of my hobbies include working on side projects, playing video games, exercising, and hanging out with friends.

Github
Email

Professor Craig Shue

Craig Shue is an Associate Professor in the Computer Science Department and the Cyber Security Program at the Worcester Polytechnic Institute. He served as one of the advisors to this project, advising the computer science students within the research space.

To learn more about Craig, please feel free to visit his webpage linked below or to shoot him an email using the buttons below:

Professor Berk Sunar

Berk Sunar is an Associate Professor in the Electrical and Computer Engineering Department at the Worcester Polytechnic Institute. He served as one of the advisors to this project, advising the electrical and computer engineering student within the research space.

To learn more about Craig, please feel free to visit his webpage linked below or to shoot him an email using the buttons below: