This document presents Radium, a secure policy engine in the hypervisor that aims to provide integrity measurement of computing environments. It discusses defining the problem of trusting computing devices and components. It provides background on technologies like SRTM, DRTM and Flask that are used. The Radium architecture employs DRTM to boot a trusted hypervisor and uses asynchronous root of trust for measurement and a secure mandatory access control policy to regulate access between trusted and untrusted environments. The prototype implementation and evaluation show Radium can provide timely integrity measurements with zero downtime compared to traditional trusted systems. Future work areas include incorporating Intel SGX and improving the minimal trusted computing base of the hypervisor.
Breaking hardware enforced security with hypervisorsPriyanka Aash
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
"The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors."
(Source: Black Hat USA 2016, Las Vegas)
The lecture by Sartakov A. Vasily for Summer Systems School'12.
Brief introduction to Trusted Computing.
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
Security for io t apr 29th mentor embedded hangoutmentoresd
Security Strategies for Internet of Things From Devices to The Cloud -- these slides were presented during a live Google+ On-Air Hangout Panel on April 29th, 2014, presented by Mentor Graphics Embedded Software
Breaking hardware enforced security with hypervisorsPriyanka Aash
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
"The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors."
(Source: Black Hat USA 2016, Las Vegas)
The lecture by Sartakov A. Vasily for Summer Systems School'12.
Brief introduction to Trusted Computing.
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
Security for io t apr 29th mentor embedded hangoutmentoresd
Security Strategies for Internet of Things From Devices to The Cloud -- these slides were presented during a live Google+ On-Air Hangout Panel on April 29th, 2014, presented by Mentor Graphics Embedded Software
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
In this deck from the FOSDEM 2018 conference, Jon Masters from Red Hat presents: Exploiting modern microarchitectures Meltdown, Spectre, and other hardware attacks.
"Recently disclosed vulnerabilities against modern high performance computer microarchitectures known as 'Meltdown' and 'Spectre' are among an emerging wave of hardware-focused attacks. These include cache side-channel exploits against underlying shared resources, which arise as a result of common industry-wide performance optimizations. More broadly, attacks against hardware are entering a new phase of sophistication that will see more in the months ahead. This talk will describe several of these attacks, how they can be mitigated, and generally what we can do as an industry to bring performance without trading security."
Jon Masters is a Computer Architect at Red Hat, where he was tech lead for mitigation efforts against Meltdown and Spectre. Jon has worked closely with high performance microprocessor design teams for years on emerging alternative server platforms, and also currently leads the CCIX software working group helping to define high performance cache coherent interconnects for workload acceleration. Jon has been a Linux developer for 22 years, since beginning college at the age of 13, and has authored a number of books on Linux technology. He lives in Cambridge, MA, and will run his 11th marathon later this spring.
Watch the video: https://insidehpc.com/2018/02/exploiting-modern-microarchitectures-meltdown-spectre-attacks/
Learn more: https://fosdem.org/2018/
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
Presentation of a paper at ISC 2008. Modification of a virtual TPM design to support more flexible key management and migration support for virtual machines.
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustDan Griffin
The US National Security Agency has been public about the inevitability of mobile computing and the need to support cloud-based service use for secret projects. General Alexander, head of the NSA, recently spoke of using smartphones as ID cards on classified networks.
And yet, mobile devices have a poor security track record, both as data repositories and as sources of trustworthy identity information. Cloud services are no better: current security features are oriented toward compliance and not toward real protection.
What if we could provide a strong link between mobile device identity, integrity, and the lifecycle of data retrieved from the cloud using only the hardware shipped with modern smartphones and tablets?
The good news is that we can do that with the trusted execution environment (TEE) features of the common system on a chip (SOC) mobile processor architectures using 'measurement-bound' encryption. This presentation describes how data can be encrypted to a specific device, how decryption is no longer possible when the device is compromised, and where the weaknesses are. I demonstrate measurement-bound encryption in action. I also announce the release of an open-source tool that implements it as well as a paper that describes the techniques for time-bound keys.
This is likely the very same way that NSA will be protecting the smartphones that will be used for classified information retrieval. Learn how your government plans to keep its own secrets and how you can protect yours.
A talk I gave about Meltdown and Specter to the Papers We Love SG meetup.
https://engineers.sg/v/2302
Meltdown Paper: https://meltdownattack.com/meltdown.pdf
Spectre Paper: https://spectreattack.com/spectre.pdf
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
Reconfigurable Trust for Embedded Computing
Platforms
Published in:Applied Electronics (AE), 2012 International
Conference
By:-
Martin Schramm University of Applied Sciences Deggendorf Deggendorf,
Germanymartin.schramm@hdu-deggendorf.de
Andreas Grzemba University of Applied Sciences Deggendorf
Deggendorf, Germany andreas.grzemba@hdu-deggendorf.de
•The main topic for this paper is how to implement hardware in security.
•Implementing hardware adds sophisticated security and privacy mechanisms, by isolating security module from the rest of the system.
•Using FPGA is one way to add hardware security feature, and it was the main idea for this paper
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
Steve Huffman - Lessons learned while at reddit.comCarsonified Team
Neil will teach you five advanced website traffic statistics that you NEED to be measuring, but probably aren't. It isn't good enough anymore to just measure click-through and conversion rates to your signup page. You need MUCH more detail and Neil will explain how to get it and make decisions accordingly. You'll be amazed at the increase in valuable sign-ups and revenue increases you can achieve.
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
In this deck from the FOSDEM 2018 conference, Jon Masters from Red Hat presents: Exploiting modern microarchitectures Meltdown, Spectre, and other hardware attacks.
"Recently disclosed vulnerabilities against modern high performance computer microarchitectures known as 'Meltdown' and 'Spectre' are among an emerging wave of hardware-focused attacks. These include cache side-channel exploits against underlying shared resources, which arise as a result of common industry-wide performance optimizations. More broadly, attacks against hardware are entering a new phase of sophistication that will see more in the months ahead. This talk will describe several of these attacks, how they can be mitigated, and generally what we can do as an industry to bring performance without trading security."
Jon Masters is a Computer Architect at Red Hat, where he was tech lead for mitigation efforts against Meltdown and Spectre. Jon has worked closely with high performance microprocessor design teams for years on emerging alternative server platforms, and also currently leads the CCIX software working group helping to define high performance cache coherent interconnects for workload acceleration. Jon has been a Linux developer for 22 years, since beginning college at the age of 13, and has authored a number of books on Linux technology. He lives in Cambridge, MA, and will run his 11th marathon later this spring.
Watch the video: https://insidehpc.com/2018/02/exploiting-modern-microarchitectures-meltdown-spectre-attacks/
Learn more: https://fosdem.org/2018/
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
Presentation of a paper at ISC 2008. Modification of a virtual TPM design to support more flexible key management and migration support for virtual machines.
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustDan Griffin
The US National Security Agency has been public about the inevitability of mobile computing and the need to support cloud-based service use for secret projects. General Alexander, head of the NSA, recently spoke of using smartphones as ID cards on classified networks.
And yet, mobile devices have a poor security track record, both as data repositories and as sources of trustworthy identity information. Cloud services are no better: current security features are oriented toward compliance and not toward real protection.
What if we could provide a strong link between mobile device identity, integrity, and the lifecycle of data retrieved from the cloud using only the hardware shipped with modern smartphones and tablets?
The good news is that we can do that with the trusted execution environment (TEE) features of the common system on a chip (SOC) mobile processor architectures using 'measurement-bound' encryption. This presentation describes how data can be encrypted to a specific device, how decryption is no longer possible when the device is compromised, and where the weaknesses are. I demonstrate measurement-bound encryption in action. I also announce the release of an open-source tool that implements it as well as a paper that describes the techniques for time-bound keys.
This is likely the very same way that NSA will be protecting the smartphones that will be used for classified information retrieval. Learn how your government plans to keep its own secrets and how you can protect yours.
A talk I gave about Meltdown and Specter to the Papers We Love SG meetup.
https://engineers.sg/v/2302
Meltdown Paper: https://meltdownattack.com/meltdown.pdf
Spectre Paper: https://spectreattack.com/spectre.pdf
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
Reconfigurable Trust for Embedded Computing
Platforms
Published in:Applied Electronics (AE), 2012 International
Conference
By:-
Martin Schramm University of Applied Sciences Deggendorf Deggendorf,
Germanymartin.schramm@hdu-deggendorf.de
Andreas Grzemba University of Applied Sciences Deggendorf
Deggendorf, Germany andreas.grzemba@hdu-deggendorf.de
•The main topic for this paper is how to implement hardware in security.
•Implementing hardware adds sophisticated security and privacy mechanisms, by isolating security module from the rest of the system.
•Using FPGA is one way to add hardware security feature, and it was the main idea for this paper
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
Steve Huffman - Lessons learned while at reddit.comCarsonified Team
Neil will teach you five advanced website traffic statistics that you NEED to be measuring, but probably aren't. It isn't good enough anymore to just measure click-through and conversion rates to your signup page. You need MUCH more detail and Neil will explain how to get it and make decisions accordingly. You'll be amazed at the increase in valuable sign-ups and revenue increases you can achieve.
Python RESTful webservices with Python: Flask and Django solutionsSolution4Future
Slides contain RESTful solutions based on Python frameworks like Flask and Django. The presentation introduce in REST concept, presents benchmarks and research for best solutions, analyzes performance problems and shows how to simple get better results. Finally presents soruce code in Flask and Django how to make your own RESTful API in 15 minutes.
Research talk I gave at Semiconductor Research Corporation workshop in September 2017. Here I set research goals to create a new type of security technology to protect autonomous systems.
SECURITY SOFTWARE RESOLIUTIONS (SSR) 1
SECURITY SOFTWARE RESOLIUTIONS (SSR) 4
First page
TABLE OF CONTENTS (TOC)
DOMAIN 1-PROJECT OUTLINE………………………………………………………..3
1-1 PROJECT OUTLINE AND REQUIREMENTS…………………………..4
DOMAIN 2 -SECURITY IN THE DEVELOPMENT LIFE CYCLE…………………….8
DOMAIN 3 -SOFTWARE ASSURANCE TECHNIQUES………………………………12
DOMAIN 4 -SECURITY IN NONTRADITIONAL DEVELOPMENT MODELS……...15
DOMAIN 5-SECURITY STATIC ANALYSIS…………………………………………..20
DOMAIN 6-SOFTWARE ASSURANCE POLICIES AND PROCESSES………………29
DOMAIN 1-1 PROJECT OUTLINE AND REQUIREMENTS
Telecom and Network Security Requirements
Remote Access Security Management
Remote Connections
· xDSL – Digital Subscriber Line
· Cable modem
· Wireless (PDAs)
· ISDN – Integrated Services Digital Network
Securing External Remote Connections
· VPN – Virtual Private Network
· SSL – Secure Socket Layer
· SSH – Secure Shell
Remote Access Authentication
· RADIUS – Remote Access Dial-In User Server
· TACACS – Terminal Access Controller Access Control Server
Remote Node Authentication
· PAP – Password Authentication Protocol – clear text
· CHAP – Challenge Handshake Authentication Protocol – protects password
Remote User Management
· Justification of remote access
· Support Issues
· Hardware and software distribution
Intrusion Detection
· Notification
· Remediation
Creation of:
· Host and networked based monitoring
· Event Notification
· CIRT – Computer Incident Response Team
· CIRT Performs
· Analysis of event
· Response to incident
· Escalation path procedures
· Resolution – post implementation follow up
Intrusion Detection Systems
· Network Based – Commonly reside on a discrete network segment and monitor the traffic on that network segment.
· Host Based – Use small programs, which reside on a host computer. Detect inappropriate activity only on the host computer, not the network segment.
· Knowledge Based – Signature based
· Behavioral Based – Statistical Anomaly
Knowledge Based
Pros Cons
Low false alarms Resource Intensive
Alarms Standardized New or unique attacks not found
Behavior Based – less common
Pros Cons
Dynamically adapts High False Alarm rates
Not as operating system specific User activity may not be static enough to implement
CIRT – (CERT) – Computer Incident Response Team
Responsibilities:
· Manage the company’s response to events that pose a risk
· Coordinating information
· Mitigating risk, minimize interruptions
· Assembling technical response teams
· Management of logs
· management of resolution
Network Availability
· RAID – Redundant Array of Inexpensive Disks
· Back Up Concepts
· Manage single points of failure
RAID – Redundant Array of Inexpensive Disks
· Fault tolerance against server crashes
· Secondary – impro.
Automated prevention of ransomware with machine learning and gposPriyanka Aash
This talk will highlight a signature-less method to detect malicious behavior before the delivery of the ransomware payload can infect the machine. The ML-driven detection method is coupled with the automated generation of a Group Policy Object and in this way we demonstrate an automated way to take action and create a policy based on observed IOC’s detected in a zero-day exploit pattern.
( Source : RSA Conference USA 2017)
Before venturing into learning and practicing security testing aka penetration testing, every individuals should have fundamental skills without which it will be very difficult to grasp all the related concepts.
I am sharing the basic details, which I have used to train fellow enthusiasts before initiating them into Security Testing.
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
Presented at SHARE Conference, "SELinux: A Key Component in Secure Infrastructures"
Covers "what is SELinux?," Type Enforcement, SELinux Usage, and example scenarios.
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
Supervisory control and data acquisition (SCADA) systems have their own constrains and specifications. These systems control many of our critical industrial infrastructures, yet they are hardly secured. The biggest problem in securing these systems is the lack of cryptography support especially that most SCADA systems work in real-time which is not compatible with most cryptography algorithms. Additionally, a SCADA network may include a huge amount of embedded devices with little computational powers which adds to the cost of any security improvement. In this paper we present a new approach that would secure SCADA communications by coding information without the need of the complex cryptography algorithms. The reconfigurable information transmitter agent (RITA) protocol that we present does not need the already installed devices to be modified nor replaced, it only needs to add costless electrical chips to these devices. This approach can also be used to secure any type of communication that respects the protocol's constraints.
Presentation from the EPRI-Sandia Symposium on Secure and Resilient Microgrids: Cyber Security R&D for Microgrids, presented by Jason Stamp, Sandia National Laboratories, Baltimore, MD, August 29-31, 2016.
2. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
2
3. Problem
› How many of us here have sensitive and/or private data stored in
their personal devices?
› Laptops
› iPads/Tablets
› Cell phones
› The Cloud
› How many of you actually implicitly trust those devices???
› Fact: everyone!!! (passwords, bank accounts, pictures, etc., )
We need a way to help us assess the state of our computing
devices (The computing components/environments)
› Access control
3
4. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
4
5. Introduction
› Given two software stacks, how can one differentiate between a
certified stack and one with sophisticated malware??
› A computing platform is trustworthy if it behaves as expected.
› Computing components:
– Firmware (BIOS)
– System Software (OS)
– Application Software
› Integrity Measurement ( An approach to verify the trustworthiness of a computing
platform is to measure each individual component.)
– Measurement represents the state/behavior of an entity
– Integrity measurement acts as a basis for trust
5
6. › Trusted Computing Group (Consortium of companies, e.g. AMD,
CISCO, IBM, Intel, etc.,)
– TCG Design Solution
› Trusted Platform Module (TPM)
› Current TPM employed solutions
– SRTM (static root of trust for measurement)
– DRTM (dynamic root of trust for measurement)
› Axiom
– Measured components do not change after measurement
› Radium ARTM (Asynchronous Root of Trust for Measurement)
– Leverage ARTM to overcome TOCTOU attacks
– Allow concurrent execution of untrusted/trusted virtual domains
– Zero down time
– Secure MAC policy in hypervisor (hypercall granularity)
– Remote attestation capability
6
Introduction Cont…
7. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM, FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
7
10. FLASK Architecture Overview
10
Mandatory access control security architecture that supports dynamic policies
(User, Role, Targeted/Type and Sensitivity)
Flask makes a distinction on security policy decision and enforcement functions
Uses context labels between subjects and objects to grant access (The subject is
the requesting element, while the object is the element being requested.)
A prominent extension of Flask is Security-Enhanced Linux (SELinux)
System_U:System_R:Type_T:S0...S10
11. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
11
12. Radium Design Overview
› Employs DRTM to boot trusted Hypervisor
› Use of ARTM to overcome TOCTOU attacks
› Provide efficient and detailed measurements
› Allow more than one measured environment to co-exist and
co-operate
› Contain an Access Control Policy which regulates access
between all trusted and untrusted environments
12
18. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
18
19. › XSM is light weight compared to SELinux
› XSM also uses the same semantic concepts and tools as SELinux
› For simplicity we employ Type Enforcement
› Changes or updates on the policy require a system boot (Privilege
domain capability)
› Decomposed domain
– Principle of least privilege for each domain (hypercall grantuality)
– Ability to allow certain domains to control resource allocations
› Theoretically create multiple domain builders
› Existing XSM modules
– Dummy (XSM default)
– Secure hypervisor access control (sHype by IBM)
– Flask (NSA and most widely used)
19
Xen Security Module (XSM)
20. 20
Radium Access Control Policy Capabilities
› Prevent/allow two domains from communicating via event
channels or accessing memory pages.
› Grant a set of privileges and capabilities to a virtual machine,
which is typically unavailable for unprivileged domains.
› Restrict operations performed by privileged domains
21. › Type/domains Enforcement types
– dom0_t
– domU_t (PV domain is XEN aware)
› PV does not require virtualization extensions from the host CPU
– domHVM_t (HVM domain fully virtualized)
– measuringService_t (The VM domain giving Radium ARTM capability)
› Creating a new type
› type measuringService_t
– Define attributes
› type measuringService_t, domain_type, domain_self_type, domain_target_type, event_type,
xen_type, grant_type
› But need a corresponding “allow rules”
– allow sourceDomain_t targetDomain_t:className { hypercallOfTheClass }
› allow measuringService_t domHVM_t:grant {read map transfer copy};
› Once the policy is in enforcing mode every virtual domain configuration
file must be labeled with a security context/label
– sid measuringService system_u:system_r:measuringService_t
– seclabel = system_u:system_r:measuringService_t
– Default system_u:system_r:Unknown_t
21
22. XSM Classes
› Classes categorize related hypercalls (related to attributes)
– Declaring a new class
› Class class_name
› Eight classes currently offered in the policy
› Class Xen (consists of Dom0 only, operations dealing with the hypervisor itself but can be extended to
other domains)
› Class Xen {settime, readconsole, sleep, getcpuinfo}
› Class domain and domain2
› Class domain {pause, unpause, resume, create, _self, _target}
› Class event (contains hypercalls that refer to inter-domain communication between both domains. For a
domain to communicate the allow rules have to be set for both the source and the target virtual domains)
› Class event {bind, send, status, create, reset}.
› Class security
› Class security {compute_avc, compute_create, check_context, load_policy,
compute_relabel, setenforce}
› Xenstore (currently not part of XSM) must be set via Dom0
– Volatility with LibVMI, which requires Xenstore permissions to be configured
› xenstore-chmod -r /local/domain/2/memory n0 r1} // if you want write ability (w1) 22
23. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
23
24. Radium: Security and Performance
› Hypervisor verified and trusted using DRTM (Important to
ensure integrity of the MAC policy)
› All access is protected by the trusted Mandatory Access Control
policy within the Hypervisor
› Traditional trusted systems (DRTM)
– 26.7 seconds to measure an untrusted/normal environment
– 35.8 seconds for booting the untrusted/normal environment
– A total of an average of 62.5 seconds to ensure the trustworthiness
› Radium system
– 27.3 seconds to measure measuring service
– 11.1 seconds to boot the measuring service
– 1.7 seconds to measure the untrusted/normal environment (querying ACP +
memory introspection +results)
– A total of an average of 40.1 seconds to ensure the trustworthiness
25. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
25
26. Related Works
› Trusted Computing
– Trusted Platform Module: Building a Trusted Software Stack and Remote
Attestation
› Trusted hypervisors
– Flicker
› Rootkit Detectors
– Rootkit Detection on Virtual Machines through Deep Information Extraction at
Hypervisor Level
› Hypervisor based secure access control
– Flux Advanced Security Kernel (Flask)
– Meeting Critical Security Objectives with SELinux
– Using the Flask Security Architecture to Facilitate Risk Adaptable Access Control
27. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
27
28. Conclusion
› DRTM + VT-d boot of the hypervisor ensures integrity of the
secure MAC policy
› Using secure MAC policy to create a measuring service with the
ability to provide use time measurements.
› Using use time measurements to prevent TOCTOU attacks (you
can measure at anytime)
› Use of a trusted measuring service with a secure MAC policy is
more efficient than rebooting/resetting an environment
› Radium architecture achieves measurements with zero downtime
› The use of a secure MAC policy guarantees that hypercall
invocation can be controlled (unprivileged domains have access to
few hypercalls)
28
29. Agenda
› Defining the problem
› Introduction
› Background Technologies (SRTM, DRTM,FLASK)
› Radium Architecture Overview
› Radium Prototype Overview
› Adversary Model
› Access Control Policy (XSM)
› Radium Security and Performance
› Related Works
› Conclusion
› Future Works
29
30. Future Works
› Incorporate Intel SGX into the Radium architecture
› Create a minimal TCB hypervisor (Possibly extend Amit,
Vasudevan design of eXtensible Modular Hypervisor
Framework)
– Multiple guest virtual domains
– Incorporate MAC ACP
› Employ Risk Adaptable Access Control (RAdAC)
› Create two policies based on the state
› Incorporate role/user and sensitivity with type/domain based
30
31. References
1. Trusted computing using AMD "Pacifica" and "Presidio" secure virtual machine technology; Geoffrey Strongin, Advanced Micro Devices, Inc.
2. BIOS chronomancy: fixing the core root of trust for measurement; John Butterworth, Corey Kallenberg, Xeno Kovah, Amy Herzog
3. Trusted Boot: Veriifyiing the Xen Launch; Joseph Cihula
4. Flicker: an execution infrastructure for TCB minimization; Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter, Hiroshi Isozaki
5. TrustVisor: Efficient TCB Reduction and Attestation; Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, Adrian Perrig
6. An architecture for concurrent execution of secure environments in clouds; Ramya Jayaram Masti, Claudio Marforio, Srdjan Capkun
7. Copilot - a coprocessor-based kernel runtime integrity monitor; Nick L. Petroni, Jr., Timothy Fraser, Jesus Molina, William A. Arbaugh
8. Terra: a virtual machine-based platform for trusted computing; Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, Dan Boneh
9. NoHype: virtualized cloud infrastructure without the virtualization; E Keller, J Szefer, J Rexford, RB Lee
10. Building a MAC-based security architecture for the Xen open-source hypervisor; Sailer, R.; Jaeger, T.; Valdez, E.; Caceres, R.; Perez, R.; Berger, S.; Griffin, J.L.;
van Doorn, L.
11. Srujan Kotikela , Tawfiq Shah, Mahadevan Gomathisankaran, Gelareh Tabani, et al. Radium: Racefree on-demand integrity measurement
architecture. 2015.
12. ELI: Bare-Metal Performance for I/O Virtualization; Abel Gordon, Nadav Amit, Nadav Har’El, Muli Ben-Yehuda, Alex Landau, Assaf Schuster, Dan Tsafrir
13. Breaking up is hard to do: security and functionality in a commodity hypervisor; Colp, Patrick and Nanavati, Mihir and Zhu, Jun and Aiello, William and Coker,
George and Deegan, Tim and Loscocco, Peter and Warfield, Andrew
14. Innovative Instructions and Software Model for Isolated Execution; McKeen, Frank and Alexandrovich, Ilya and Berenzon, Alex and Rozas, Carlos V. and Shafi,
Hisham and Shanbhogue, Vedvyas and Savagaonkar, Uday R
1.Chain of trust anchored in CRTM (immutable function) in the CPU unit
2. CRTM initiates the measurement of the firmware
Suspension of environment
Intel TXT's first verify the digital signature of the (ACM) and validate it
ACM digital key is hardcoded in the platform by manufacture
multitasking ability of computing systems and makes it an expensive implementation
4. DRTM architecture does allow multiple trusted applications to run but does not allow the trusted environments to run concurrently
1. Crtm, bios, tboot, drtm invoked, acm validated + vtd, extend tpm, xen hpervisor
2. Measuring service boot if pcr 17 and 18 are good
3. LibVMI and volatility
4. Rootkit detection done without the knowledge of the environment
5. measureMe hypercall