adaptive isolation
play

Adaptive Isolation for Security Patrick Schaumont Virginia Tech - PowerPoint PPT Presentation

Sep 30, 2023 •181 likes •482 views

Adaptive Isolation for Security Patrick Schaumont Virginia Tech Dagstuhl Seminar 16441 1 November 2016 1 Objective 1. Contemporary Secure Computing An Example: Trusted Medical Applications 2. Building Blocks of Secure Computing - Attacker

  1. Adaptive Isolation for Security Patrick Schaumont Virginia Tech Dagstuhl Seminar 16441 1 November 2016 1

  2. Objective 1. Contemporary Secure Computing An Example: Trusted Medical Applications 2. Building Blocks of Secure Computing - Attacker Models - Trust 3. Isolation for Security in Practice - Lightweight Isolation using SANCUS - Server-class Isolation using SGX 4. Open Issues 2

  3. Implantable/Wearable Medical Devices Neuro Stimulator Hearing Implant d Fall Detector Internal Pacemaker Blood Pressure Insulin Pump External d Activity Tracker Sensing Actuation Control Insulin Pump Glucose Level Insulin Open-loop (programmer) Defibrillator Heart Rate Shock Closed-loop Ref. [2] 3

  4. Implantable/Wearable Medical Devices “The Cloud” Neuro Stimulator Gateway Internet Hearing Implant Fall Detector Pacemaker Blood Pressure Insulin Pump Activity Tracker Body Area Network Patient Patient Record Storage Inductive (200 KHz) Patient Record Analysis MICS (401 MHz) Bluetooth (2.4 GHz) Zigbee (2.4 GHz) PAN (2.4 GHz) Doctor Real Time Monitoring Real Time Control 4

  5. Computers Everywhere! Data bits have a uniform privacy/security concern Heartbeat Anomaly 8-bit AVR 100KHz 32-bit ARM Cortex M 8KB/2KB Intel Skylake 200MHz 6x Quad Core 1MB/64K 3GHz 16-bit MSP430 24GB Main 2MHz 16TB Secondary 24KB/4KB 64-bit ARM Cortex A53 Quad Core 800MHz 2GB 5

  6. Medical Data and IMD Concerns Security • Data confidentiality storage + transmission • Data access authorization • Data origin authentication • Data integrity • Data & device availability Safety • Device access • Device update Privacy • Device existence, type, ID • Link patient identity, device data • Device tracking, fingerprinting Ref. [1] 6

  7. Isolation Unlinkable Isolated Isolated Records Data Stream Storage (~privacy) (~confidentiality) Patient Patient Patient Core D$ DDR Payroll Web Devel MedicApp Isolated Yahoo Finance Execution Facebook 7

  8. Two (or more...) worlds of secure computing Servers Microcontrollers Simple Architecture Extremely Complex Computation (Crypto) is slow Computation (Crypto) is fast Statically-stored Secrets Ephemeral Secrets Architecture Isolation is add-on Architecture Isolation is built-in 8

  9. Objective 1. Contemporary Secure Computing An Example: Trusted Medical Applications 2. Building Blocks of Secure Computing - Attacker Models - Trust 3. Isolation for Security in Practice - Lightweight Isolation using SANCUS - Server-class Isolation using SGX 4. Open Issues 9

  10. Trust Trust Boundary Trusted Untrusted Trusted = to behave as expected Untrusted = we don’t know what will happen 10

  11. Attacker Models An Attacker Model describes how the Adversary may breach trust boundary Machine Code Attacker Model Secure • Interact, directly or indirectly, Task Task Task with memory image of secure task OS Hardware Attacker Model • Observe or influence task Hardware implementation effects I/O Attacker Model I/O • Manipulate or Control all I/O to secure task 11 Ref. [3]

  12. Countermeasures anticipate Attack Models Attack Model Countermeasure Machine Code Task Isolation • Virtual Machines • Sandboxing • Protected Module Architectures • Hardware Masking/TI • Fault Tolerance • Secure Scan/Debug I/O Memory Safety • Stack Canaries • Data Execution Prevention • Address Space Layout Randomization Countermeasures always come with overhead on performance and/or implementation cost. Security is never free. 12

  13. Trust and Isolation Assuming an Attacker Model implies choosing what you trust and what you do not trust Trust Boundary Untrusted Trusted Isolation is one (but not the only) way to achieve trust Abstraction Achieving Trust Example Information and Data Information Security Encryption & Decryption Signing & Verification Programs Trusted Computing Base Isolated Execution Physical Implementation Physical Security Side-channel Countermeas. 13

  14. InfoSec = Isolation + Interaction How does isolation help in achieving security? • Isolation is a central concept to achieve confidentiality guarantees in a secure implementation • But completely isolated architectures have no useful security policy (Alice is lonely without Bob) Key Exchange Key Key Encrypt Decrypt Isolation for Encryption Isolation for Key Storage Communication for Key Exchange Protocol Level (multi-architecture) 14

  15. Objective 1. Contemporary Secure Computing An Example: Trusted Medical Applications 2. Building Blocks of Secure Computing - Attacker Models - Trust 3. Isolation for Security in Practice - Lightweight Isolation using SANCUS - Server-class Isolation using SGX 4. Open Issues 15

  16. Two (or more...) worlds of isolation Servers Microcontrollers Driving Example: Driving Example: SGX SANCUS Measuring Integrity -> Remote or Local Attestation 16

  17. Integrity • Symmetric Setting Ref. [5] 17

  18. Integrity • Asymmetric Setting Certificate Authority Alice’s Certificate Ref. [5] 18

  19. Freshness Ref. [5] 19

  20. Attestation Data Owner’s Computer gets assurance that it is talking to a Secure Container with specific Code, Data Ref. [5] 20

  21. SANCUS: Secure System Model • Infrastructure Provider IP manages Micro-Controller Node N • Software Provider SP deploy Software SM • Adversary can control all software • Adversary can control all communications • Hardware is Trusted Ref. [4] 21

  22. SANCUS: Security Properties 1. (HW Enforced) Isolation of SM + designated entry points 2. Remote Attestation for SM to SP 3. Secure Communication Auth, Integrity, Freshness between SM to SP 4. SM on same node can securely communicate Ref. [4] 22

  23. SANCUS: Isolation MSP430 Memory Map • A secure module SM • code section with entry points • data section text end • Hardware-enforced SM Text memory access control text start 1. protected code access has protected data 2. protected code has controlled entry point data end SM Data • Dedicated Instructions data start protect SP, layout unprotect Module Identity M 23

  24. SANCUS: Privileged Communications Hardware MSP430 Memory Map Node Key K N Root of Trust Provider Key K N,SP = kdf(K N , SP) text end Module Key K N,SP,M = kdf(K N , SP, M) SM Text text start • Dedicated Instruction MAC-seal start, length, result • Remote Attestation data end • SP sends nonce • SM replies MAC using K N,SP,M SM Data • Integrity data start • SM self-MAC using K N,SP,M • SM MAC over result using K N,SP,M Module Identity M 24

  25. SGX: Secure System Model Untrusted: bios, drivers, kernel, hypervisor Trusted: Hardware (Intel CPU) Enclave (SW App) Ref. [5] 25

  26. SGX Enclave Virtual Memory Map • Integrity, Confidentiality on Code and Data • Controlled Entry Points Process • Handling of Faults, Interrupts, Syscalls Enclave • Support Multiple Processors, threads Code, Data + SECS • Access control on Physical Memory pages allocated to Enclaves • Encryption of Swapped Pages 26

  27. SGX Enclave Application Scenario Lifecycle 1. Launch and Measurement 2. Attestation of Platform, Enclave 3. Provisioning Sensitive Data 4. Sealing of Data 5. Software Upgrade Ref. [6] 27

  28. Objective 1. Contemporary Secure Computing An Example: Trusted Medical Applications 2. Building Blocks of Secure Computing - Attacker Models - Trust 3. Isolation for Security in Practice - Lightweight Isolation using SANCUS - Server-class Isolation using SGX 4. Open Issues 28

  29. Open Challenges • While performance can quantified (MB/s, MIPS, ...), security is hardly quantified • Security Level, FIPS-140 Level • What is the meaning of resource overhead for a secure architecture? • What are good metrics for secure computing? • Formal proofs and properties? • Performance of primitive secure operations? • What are the orthogonal properties of secure computing? • If isolation is property #1, what are the others? • Can we classify secure computer architectures? 29

  30. References 1. Michael Rushanan, Aviel D. Rubin, Denis Foo Kune, Colleen M. Swanson: SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks . IEEE Symposium on Security and Privacy 2014: 524-539. 2. Wayne Burleson, Shane S. Clark, Benjamin Ransford, Kevin Fu: Design challenges for secure implantable medical devices . DAC 2012: 12-17. 3. Frank Piessens, Ingrid Verbauwhede: Software security: Vulnerabilities and countermeasures for two attacker models . DATE 2016: 990-999. 4. Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, Frank Piessens: Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base. USENIX Security Symposium 2013: 479-494. 5. Victor Costan, Srinivas Devadas: Intel SGX Explained. IACR Cryptology ePrint Archive 2016: 86 (2016). 6. Ittai Anati, Shay Gueron, Simon Johnson, Vincent Scarlata: Innovative Technology for CPU Based Attestation and Sealing. Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2013. 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NETWORKONCHIPASSISTED ADAPTIVE PARTITIONING AND ISOLATION FOR DYNAMIC HOMOGENEOUS

NETWORKONCHIPASSISTED ADAPTIVE PARTITIONING AND ISOLATION FOR DYNAMIC HOMOGENEOUS

NETWORKONCHIPASSISTED ADAPTIVE PARTITIONING AND ISOLATION FOR DYNAMIC HOMOGENEOUS MANYCORES Davide Bertozzi MPSoC Research Group University of Ferrara Italy email : davide.bertozzi@unife.it A collaboration with Jos

617 views • 35 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GSure Bacterial genomic DNA isolation kit GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA Isolation Kit GSure Stool DNA Isolation Kit GSure Urine DNA Isolation Kit GSure Yeast RNA

455 views • 23 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

669 views • 27 slides
#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days will be reimbursed Self isolation notes from online 111 Self isolation and pay Working from Home Everyone should be working

398 views • 12 slides
Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor Josie Tetley Dr Emma-Reetta Koivunen Ageing and Long Term Conditions Group Faculty of Health, Psychology & Social Care Manchester

338 views • 19 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W HEN F EELINGS OF I SOLATION B ECOME A R OADBLOCK Joe & Cindi Ferrini Joeferrini.com Cindiferrini.com W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND TOWARD ISOLATION PULLING AWAY FROM :

723 views • 18 slides
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Possibly with multiple tenants Setting OS: users / processes Browser: webpages / browser extensions Cloud: virtual machines (VMs)

272 views • 25 slides
Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya University of Wisconsin-Madison 6 July 2017 Isolation Isolation Computational Problem : instance x set of solutions for x . Eg.:

876 views • 42 slides
Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication Jinyu Gu , Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen Monolithic Kernel and Microkernel 2 Monolithic Kernel and

336 views • 23 slides
Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

1.01k views • 43 slides
Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Web 2 . 0 and the Isolation Problem Case Study : FBJS Formal Semantics of JavaScript Achieving the Isolation goal Ongoing Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford University Joint work

650 views • 46 slides
Th The GENETIC-AF Tri rial Jeff S. Healey, MD, 1 Jonathan P. Piccini, MD, 2 William T. Abraham,

Th The GENETIC-AF Tri rial Jeff S. Healey, MD, 1 Jonathan P. Piccini, MD, 2 William T. Abraham,

Im Impact of f Phar armacogenetic ic-guid ided Bu Bucin indolo lol l versus Metoprolo lol l Su Succin inate on th the Overall ll Bu Burden of f Clin Clinic ical l Events in in Pati tients with ith AF and Heart Fail ilure:

423 views • 10 slides
Should We Implant ICD In Patients With NICMP (Cons) Alireza Ghorbani Sharif, MD Interventional

Should We Implant ICD In Patients With NICMP (Cons) Alireza Ghorbani Sharif, MD Interventional

Should We Implant ICD In Patients With NICMP (Cons) Alireza Ghorbani Sharif, MD Interventional Electrophysiologist Tehran Arrhythmia Clinic March 2018 Introduction Implantation of an ICD for primary prevention of SCD in patients with

469 views • 46 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti Paul D. Schreiber High School Stony Brook University Joint work with: Scott A Smolka, Shan Lin (Stony Brook) Ariful Islam (CMU) Rahul Mangharam,

539 views • 20 slides
Bundled Payments for Care Improvement - Advanced January 15, 2018 Agenda for today 1 Welcome

Bundled Payments for Care Improvement - Advanced January 15, 2018 Agenda for today 1 Welcome

Bundled Payments for Care Improvement - Advanced January 15, 2018 Agenda for today 1 Welcome & Introductions 2 Strategies for the early phases of BPCI Advanced 3 Review of the opportunity Why should you be interested? 4 Overview of

745 views • 46 slides
Lecture 9 Prototyping Terry Winograd CS147 - Introduction to Human-Computer Interaction

Lecture 9 Prototyping Terry Winograd CS147 - Introduction to Human-Computer Interaction

Lecture 9 Prototyping Terry Winograd CS147 - Introduction to Human-Computer Interaction Design Computer Science Department Stanford University Autumn 2006 CS147 - Terry Winograd - 1 Learning Goals Understand the uses of different

407 views • 36 slides
Smart Everything: Dr Jekyll or Mr Hyde? Cure by Remote A>esta@on GENE TSUDIK Computer Science

Smart Everything: Dr Jekyll or Mr Hyde? Cure by Remote A>esta@on GENE TSUDIK Computer Science

Smart Everything: Dr Jekyll or Mr Hyde? Cure by Remote A>esta@on GENE TSUDIK Computer Science Department UCI gene.tsudik@uci.edu LAB: h>p://sprout.ics.uci.edu Joint work with: HRL, Eurecom, TU Darmstadt, Aalto, Intel 1 Outline

1.12k views • 26 slides
Trends in High Performance Trends in High Performance Computing and the Grid Computing and the

Trends in High Performance Trends in High Performance Computing and the Grid Computing and the

Trends in High Performance Trends in High Performance Computing and the Grid Computing and the Grid Jack Dongarra University of Tennessee and Oak Ridge National Laboratory 1 Technology Trends: Technology Trends: Microprocessor Capacity

465 views • 23 slides
11/4/16 DISCLOSURES Review boards: Spine Deformity, CORR When degenerative problems become

11/4/16 DISCLOSURES Review boards: Spine Deformity, CORR When degenerative problems become

11/4/16 DISCLOSURES Review boards: Spine Deformity, CORR When degenerative problems become deformity cases AOA Board of Directors; SRS Committee Chair Consulting: Nuvasive Serena S. Hu, MD Professor and Vice Chair Chief,

556 views • 17 slides

More recommend