SECURITY ARCHITECTURES CARSTEN WEINHOLD

Similar documents
SECURITY ARCHITECTURES CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

jvpfs: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Lecture Embedded System Security Introduction to Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Lecture Embedded System Security Introduction to Trusted Computing

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

Virtual Private Networks (VPN)

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

CSC 4900 Computer Networks: Security Protocols (2)

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Firewalls, Tunnels, and Network Intrusion Detection

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

On the Internet, nobody knows you re a dog.

Applications of Attestation:

SE420 Software Quality Assurance

HP Instant Support Enterprise Edition (ISEE) Security overview

Chapter 8 Network Security

Towards Application Security on Untrusted Operating Systems

Internet security and privacy

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Connecting Securely to the Cloud

RESOURCE MANAGEMENT MICHAEL ROITZSCH

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

IP Security IK2218/EP2120

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CTS2134 Introduction to Networking. Module 08: Network Security

Network Security. Thierry Sans

NCP Secure Entry macos Client Release Notes

Configuring OpenVPN on pfsense

(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

CSE543 Computer and Network Security Module: Network Security

NCP Secure Enterprise macos Client Release Notes

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Hackveda Training - Ethical Hacking, Networking & Security

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

IP Security. Have a range of application specific security mechanisms

Improving client systems security with Qubes OS

Cloud Native Security. OpenShift Commons Briefing

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

A Technical Overview of the Lucent Managed Firewall

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Secure Sharing of an ICT Infrastructure Through Vinci

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Lecture 3 MOBILE PLATFORM SECURITY

Network Security and Cryptography. December Sample Exam Marking Scheme

HikCentral V.1.1.x for Windows Hardening Guide

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Introducing Genode. Norman Feske Genode Labs

RESOURCE MANAGEMENT MICHAEL ROITZSCH

Firmware Updates for Internet of Things Devices

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

CSE 565 Computer Security Fall 2018

HikCentral V1.3 for Windows Hardening Guide

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Cryptography and Network Security

Introduction to IPsec. Charlie Kaufman

Network Security Fundamentals

Combining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018

Securing Enterprise Extender

RESOURCE MANAGEMENT MICHAEL ROITZSCH

COMPUTER NETWORK SECURITY

Network Security and Cryptography. 2 September Marking Scheme

The next step in IT security after Snowden

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

IS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS

SSL/TLS. How to send your credit card number securely over the internet

Facing the Reality: Virtualization in a Microkernelbased Operating System. Matthias Lange, MOS, January 26th, 2016

Cryptography and Network Security. Sixth Edition by William Stallings

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Resilient IoT Security: The end of flat security models

CS 356 Internet Security Protocols. Fall 2013

CSC 6575: Internet Security Fall 2017

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

Network Security Protocols NET 412D

COSC4377. Chapter 8 roadmap

SafeBricks: Shielding Network Functions in the Cloud

ECE 435 Network Engineering Lecture 23

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Communication Systems DHCP

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Transcription:

Department of Computer Science Institute of System Architecture, Operating Systems Group SECURITY ARCHITECTURES CARSTEN WEINHOLD

MOTIVATION Common observations: Complex software has security bugs Users are plagued by malware User PCs become bots Critical data gets stolen Targeted attacks at high-value users: Key industries, governments Sad truth: threats won t go away 2

MOTIVATION It s all the same for mobile devices Malware in Android Store: trojan horse downloaded by millions of users Security-critical bugs: Drivers [1,2], USB stacks [7], boot loaders Messaging apps [8], web browser,... Jailbreaking = attack on security: Requires physical access...... or visit special website [9] 3

CLASSICAL ARCHITECTURES 4

ISOLATION Isolation in commodity OSes based on user accounts: Same privileges for all apps Permissive interfaces (e.g., ptrace to manipulate other address spaces) No isolation within applications Efforts to restrict privileges: SELinux, AppArmor, Seatbelt,... 5

HW ISOLATION Separate computers Applications and data PC 1 PC 2 physically isolated App Effective, but... High costs Needs more space Inconvenient Exposure to network may pose threat OS Hardware App OS Hardware 6

VM ISOLATION Multiple VMs, OSes Isolation enforced by VM 1 VM 2 virtualization layer App Saves space, energy, App maintenance effort But still... OS OS Switching between VMs is inconvenient Even more code Virtualization Layer Hardware 7

ARE WE SECURE? Huge code bases remain Applications still the same Many targets to attack: Application, Commodity OS Virus scanner, firewall,... Virtualization layer High overhead for many VMs 8

SECURITY ARCHITECTURES 9

SECURITY GOALS Protect the user s data Secure applications that process data Acknowledge different kinds of trust: Application A trusted for task B, but not C OS trusted to store data, but not to see it Use infrastructure without trusting it? Identify and secure TCB: the Trusted Computing Base 10

FIRST STEP To improve security: Reduce size of TCB = smaller attack surface First idea: Remove huge legacy OS from TCB Port application to microkernel-based multiserver OS Remove unneeded libc backends, etc. Possible approaches discussed in lecture on Legacy Reuse 11

NIZZA ARCHITECTURE Legacy App Legacy OS Signing App E-Commerce App Banking App Loader Names User Auth GUI Storage I/O Microkernel 12

PRINCIPLES Nizza architecture: fundamental concepts: Strong isolation Application-specific TCBs Legacy reuse Trusted wrappers Trusted computing 13

APP-SPECIFIC TCB Reflects Principle of Least Privilege TCB of an application includes only components its security relies upon TCB does not include unrelated applications, services, libraries Mechanisms: Address spaces for strong isolation Well-defined interfaces 14

APP-SPECIFIC TCB Network App Legacy App IP Stack Signing App Legacy OS Virtual Ethernet Key Mgmt Loader Names User Auth GUI Storage I/O Microkernel 15

SPLITTING COMPONENTS 16

SPLIT APPS Problems with porting applications: Dependencies need to be satisfied Can be complex, require lots of code Stripped down applications may lack functionality / usability Better idea: split application Make only security-critical parts run on microkernel-based OS Parts of application removed from TCB 17

EXAMPLE: EMAIL Digitally signed e-mails, what s critical? Handling of signature keys Requesting passphrase to unlock secret signature key Presenting e-mail message: Before sending: What You See Is What You Sign After receiving: verify signature, identify sender 18

SPLIT EMAIL APP Mozilla Thunderbird GnuPG Proxy L4GnuPG X Window System L 4 Linux DOpE Nitpicker Trusted computing base Hardware Video Device Input Devices Figure taken from [5] 19

TCB REDUCTION 1,500,000+ SLOC no longer in TCB: Linux kernel, drivers, X-Server C and GUI libraries, Thunderbird TCB size reduced to ~150,000 SLOC: GNU Privacy Guard, e-mail viewer Basic L4 system At least 10 times less code in TCB 20

SPLITTING THE OS Splitting works for applications What about the complex and useful infrastructure of commodity OSes? Drivers (see previous lectures) Protocol stacks (e.g., TCP/IP) File systems Starting point: Virtualized commodity OS 21

SIMPLE REUSE Run legacy OS in VM Reuse service: net, files,... Legacy infrastructure isolated from applications App Legacy OS But: Applications still depend on legacy services... in TCB? Interfaces reused, security issues as well? Basic Services Microkernel 22

COMPLEXITY Network and file system stacks are virtually essential subsystems Generally well tested Ready for production use... but not bug free: month of Kernel Bugs 2006 [1,2]: 14 exploitable flaws in file systems: UFS, ISO 9660, Ext3, SquashFS,... WiFi drivers: remotely exploitable bugs 23

REUSE + TRUST Complex protocol stacks should not be part of TCB Reuse untrusted infrastructure through trusted wrapper: Add security around existing APIs Cryptography Redundancy General idea similar to SSL, VPN 24

EXAMPLE: VPN VPN: Confidentiality, Integrity, Availability Secure Net Internet Secure Net Titel 25

SINA BOX SINA box used by German BSI : VPN gateway Implements IPSec & PKI Intrusion detection & response Used for secure access to government networks, e.g. in German embassies Image source: http://www.secunet.com/de/das-unternehmen/presse/bilddatenbank/ 26

SINA BOX Hardware: Different kinds of networks interfaces: Red: Black: plaintext, no protection encrypted, MACs Tamper / EM protected casing Software: Minimized and hardened Linux Runs only from CD-ROM or Flash 27

OS COMPLEXITY Linux is complex! SLOC for Linux 2.6.18: Architecture specific: 817,880 x86 specific: 55,463 Drivers: 2,365,256 Common: 1,800,587 Typical config: ~ 2,000,000 Minimized & hardened: ~ 500,000 28

MIKRO-SINA Research project Mikro-SINA Goals: Reduce TCB of VPN gateway Enable high-level evaluation for high assurance scenarios Ensure confidentiality and integrity of sensitive data within the VPN Exploit microkernel architecture 29

IPSEC BASICS Protocol suite for securing IPbased communication Authentication header (AH) Integrity Authentication Encapsulating Security Payload (ESP) Confidentiality Application TCP / UDP IP IPSec Link Layer Tunnel mode / transport mode 30

IPSEC IN L 4 LINUX IPSec is security critical component... but is integrated into Linux kernel L 4 Linux IP Stack IPSec Microkernel 31

IPSEC VIADUCT Better: isolate IPSec in Viaduct IPSec packets sent/received through TUN/ TAP device L 4 Linux IP Stack tun0 eth0 IPSec Viaduct Microkernel 32

FRAGMENTATION Problem: Routers can fragment IPSec packets on the way Let L 4 Linux reassemble them L 4 Linux IP Stack AH / ESP tun0 eth0 IPSec Viaduct Microkernel 33

CONFIDENTIALITY Untrusted L 4 Linux must not see both plaintext and encrypted data Dedicated L 4 Linux for black/red networks L 4 Linux L 4 Linux IP Stack AH / ESP tun0 IPSec Viaduct tun0 IP Stack eth0 eth1 Microkernel 34

MIKRO-SINA Result: trusted wrapper for VPN Small TCB (see [6] for details): 5,000 SLOC for Viaduct Fine grain isolation Principle of least privilege Extensive reuse of legacy code: Drivers IP stack 35

EXAMPLE: STORAGE How to provide secure and Legacy App reliable storage for trusted applications? Legacy OS Signing App E-Commerce App Banking App Loader Names User Auth GUI Storage I/O Microkernel 36

VIRTUAL PRIVATE... VPFS: Confidentiality, Integrity, Availability TCB App Linux Kernel 4,600 SLOC Secure File System Commodity File System 50,000+ SLOC Microkernel See [3] for details Titel 37

DESIGN SPACE First end of design space: Protect whole file system at block layer: Common solution (e.g., dm_crypt in Linux) Easy protection for all data Most parts of file system stack are part of TCB Attack surface still big App VFS File System Buffer Cache Block Layer Protection Disk Driver 38

DESIGN SPACE Second end of design space: Protect individual files near VFS / API layer: Stacked file system (e.g., ecryptfs in Linux) Flexible protection policies Most parts of file system stack not part of TCB Ideal for trusted wrapper App VFS Protection File System Buffer Cache Block Layer Disk Driver 39

SPLIT FS STACK Trusted Untrusted App FS Proxy Wrapper Buffer Cache Crypto Proxy Layer File System Buffer Cache Block Layer Disk Driver 40

SECURITY GOALS Confidentiality: only authorized applications can access file system, all untrusted software cannot get any useful information Integrity: all data and meta data is correct, complete, and up to date; otherwise report integrity error Recoverability: damaged data in untrusted file system can be recovered from trusted backup 41

FILE ENCRYPTION Files in untrusted legacy file system are arrays of encrypted blocks Trusted part of VPFS takes care of encryption / decryption on the fly Only buffer cache contains plaintext 42

FILE INTEGRITY Hash tree embedded in files Parents authenticate child nodes 0 1 2 3 4 5 6 7 8 43

META DATA Dir Dir Dir File File File File Inode File (w/ per-file hashes) Small Secure Storage 44

EXTENSIVE REUSE VPFS reuses Linux file system stack: Drivers, block device layer Optimizations (buffer cache, read ahead, write batching,...) Allocate / free disk storage for files What about metadata? Naming and lookup functionality Directories and hierarchies 45

PROOFS How to trust untrusted meta data? File exists / File does not exist : Validated inside TCB using cryptographic proof and hash tree Efficient solution possible Directory listings: Efficient solution requires functionality to be implemented in TCB Details in [3] 46

VPFS SUMMARY Trusted wrappers for file systems work! VPFS is general purpose file system Significant reduction in code size: Untrusted Linux file system stack comprises 50,000+ SLOC VPFS adds 4,000 to 4,600 SLOC to application TCB [3] jvpfs adds another 350 SLOC for secure journaling to protect against crashes [4] 47

USER INTERFACES 48

SCREEN SHARING Isolated applications run in different domains of trust, but separate screens are inconvenient The Nitpicker solution [5]: Let all windows share the same screen... but securely: Make windows & applications identifiable Prevent them from spying on each other: route input securely, no screenshots 49

CONCEPTS Views Buffers 50

HOW IT WORKS Views Buffers 51

NITPICKER IN 52

DEMO 53

SUMMARY Secure reuse of untrusted legacy infrastructure Split apps + OS services for smaller TCB Nizza secure system architecture: Strong isolation Application-specific TCBs Legacy Reuse Trusted Wrapper 54

COMING UP Next year, January 10th: Lecture on Trusted Computing : Where does VPFS store its secrets? How does VPFS detect corrupt data? How to trust in what Nitpicker shows on screen? Also on January 10th: Paper reading exercise (see website) 55

REFERENCES [1] http://www.heise.de/newsticker/month-of-kernel-bugs-ein-zwischenstand--/meldung/81454 [2] http://projects.info-pull.com/mokb/ [3] Carsten Weinhold and Hermann Härtig, VPFS: Building a Virtual Private File System with a Small Trusted Computing Base, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, April 2008, Glasgow, Scotland UK [4] Carsten Weinhold and Hermann Härtig, jvpfs: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components, Proceedings of the 2011 USENIX Annual Technical Conference, Portland, OR, USA, June 2011 [5] Norman Feske and Christian Helmuth, A Nitpicker's guide to a minimal-complexity secure GUI, ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, 2005, Washington, DC, USA [6] Christian Helmuth, Alexander Warg, Norman Feske, Mikro-SINA - Hands-on Experiences with the Nizza Security Architecture, D.A.CH Security 2005, 2005, Darmstadt, Germany [7] http://support.apple.com/kb/ht4013 [8] http://support.apple.com/kb/ht3754 [9] http://jailbreakme.com 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback