Architectural Requirements for Intransitive Trust and - - PowerPoint PPT Presentation

architectural requirements for intransitive trust and
SMART_READER_LITE
LIVE PREVIEW

Architectural Requirements for Intransitive Trust and - - PowerPoint PPT Presentation

Jul 29, 2023 129 likes •270 views

Architectural Requirements for Intransitive Trust and Fault-and-Intrusion Tolerance Marcus Vlp University of Luxembourg Interdisciplinary Centre for Security, Reliability and Trust CritiX Critical and Extreme Security and Dependability

slide-1
SLIDE 1

Architectural Requirements for Intransitive Trust and Fault-and-Intrusion Tolerance

Marcus Völp

University of Luxembourg Interdisciplinary Centre for Security, Reliability and Trust CritiX – Critical and Extreme Security and Dependability Research Group

PEARL Grant FNR/P14/8149128 – Paulo Esteves-Veríssimo marcus.voelp@uni.lu http://wwwen.uni.lu/snt/people/marcus_voelp

We are hiring PhDs/Postdocs!

slide-2
SLIDE 2

2

ISP ISP

Re-identifying de-identified data

Identifying persons from 1000-Genomes database (2013)

  • Y chromosome is transmitted from father to son,

as are familY surnames,

  • this strong correlation allowed to reveal the

identitY behind 131 genomes!

The world is becoming infrastructure-centric

slide-3
SLIDE 3

3

High Low 1 9 8 0 1 9 8 5 1 9 9 0 1 9 9 5 2 0 0 0

pas passw or

  • rd

d gu guessin ing self-repli plicat at ing c g code

  • de

pas passw or

  • rd

d crac ackin ing exploit ploit ing k g know

  • w n vuln

lnerabili abilit ies dis disabli abling au g audit dit s bac back door doors hij ac acking g se sessi ssions sw eeper ers sniffers pac packet spoof poofin ing GUI au aut om

  • m at

at ed d pr probe

  • bes/ scan

ans de denial of ial of service w w w w w w at at t ac acks

At t a t t acks At t a t t ackers

“ st ealt alt h” / adv advan anced d scanni nning ng t echni hnique ues bu burglar glarie ies net w or

  • rk m gm

gm t . diagn diagnos

  • st ic

ics DDO DDOS at at t ac acks

2 0 xx…

Bot Net s Em be bedde dded d m al alic iciou

  • us

code

  • de

(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)

Attack sophistication vs. attacker expertise

Required attacker expertise Available attack sophistication

TARGETED ATTACKS a.k.a. ADVANCED PERSISTENT THREATS

slide-4
SLIDE 4

4

The functionality/code size dilemma

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

  • Application scenarios require systems to provide a certain

set of functionalities …

e- e-

Control Control ESP / ABS driving lane keeping distance Control Control ESP / ABS

trajectory situation recognition / planning V2V / V2I V2V / V2I platoon joining / leaving navigation complexity / computation demand low latency

adapted from: Urmson et al. “Autonomous driving in urban environments: Boss and the urban challenge,” Journal of Field Robotics ‘08

image processing

slide-5
SLIDE 5

5

The functionality/code size dilemma

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

  • Application scenarios require systems to provide a certain

set of functionalities …

  • … but to implement these functionalities we need a certain amount
  • f code

– even if development time and costs don’t matter; and – even if you only use high-class developers

  • Chou et al. (SOSP’01): one bug every 1000 lines of code
  • RTOS
  • ca. 5 KLOC
  • Microkernel

10 – 15 KLOC

  • Legacy OS

15 – 50 MLOC

5-13 PY formal verification

slide-6
SLIDE 6

6

The functionality/code size dilemma

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

Legacy Operating System (Linux) Legacy Operating System (Linux) Apps. Hardware (Multi- / Manycore ) Apps. Apps. Apps.

Filesystem Drivers Scheduling Threads Network

Monolithic Operating Systems

Hardware (Multi- / Manycore ) Hardware (Enclave Provider) Apps. Apps. Apps. Apps. Microkernel / Microhypervisor

Memory Mechanisms Scheduling Threads Filesystem Drivers Network

Management Operating System Apps. Apps. Enclave Enclave Enclave Enclave

Microkernel-/Microhypervisor Based Systems Enclaves

Enclave Provider

Memory Policies

~15-50 million LOC ~15 kLOC ?

slide-7
SLIDE 7

7

Legacy OS

From transitive trust …

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

Driver FS legacy App App Player secure App secure App Resource Mgmt Net

slide-8
SLIDE 8

8

Legacy OS

… to intransitive trust

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

Driver FS Stub legacy App App En-/Decryption VPFS Player Codec Framebuffer Mgr. secure App secure App Resource Mgmt

  • Weinhold et al., “jVPFS: Adding Robustness to a Secure Stacked File

System with Untrusted Local Storage Components”, USENIX ATC, 2011

  • Singaravelu et al., “Reducing TCB Complexity for Security-Sensitive

Applications: Three Case Studies”, Eurosys, 2006

slide-9
SLIDE 9

9

Legacy OS

… to intransitive trust

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

Driver FS Stub legacy App App En-/Decryption VPFS secure App secure App Player Codec Framebuffer Mgr. Resource Mgmt

  • Weinhold et al., “jVPFS: Adding Robustness to a Secure Stacked File

System with Untrusted Local Storage Components”, USENIX ATC, 2011

  • Singaravelu et al., “Reducing TCB Complexity for Security-Sensitive

Applications: Three Case Studies”, Eurosys, 2006

Intel SGX ARM Trustzone / … microhypervisor Inktag Hoffmann et al. ‘13 Manycore + DTUs M3 Asmussen, Völp, … ASPLOS ‘16

slide-10
SLIDE 10

10

… to intransitive trust

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

Legacy OS

Driver FS Stub legacy App App En-/Decryption Vote VPFS secure App Player Resource Mgmt Intel SGX ARM Trustzone / … microhypervisor Inktag Hoffmann et al. ‘13 Manycore + DTUs M3 Asmussen, Völp, … ASPLOS ‘16 VPFS VPFS VPFS VPFS What we know:

  • isolation

fault A ≠> fault B

  • diversity
  • rejuvenation

VPFS

slide-11
SLIDE 11

11

Architectural implications

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

secure App VPFS VPFS VPFS microhypervisor Core Core Core Memory / IO … What we know:

  • isolation (fault A ≠> fault B)
  • diversity
  • rejuvenation
slide-12
SLIDE 12

12

Core Core Core Core GPU SiNW Neuro FPGA

Architectural implications

Dagstuhl Seminar 17061 - Wildly Heterogeneous Post-CMOS Technologies Meet Software - Marcus Völp (marcus.voelp@uni.lu)

secure App VPFS VPFS VPFS µHV Memory / IO … Core What we know:

  • isolation (fault A ≠> fault B)
  • diversity
  • rejuvenation

(we like to keep plug+play HW design; IP cores in NoC) need to be isolated from local core need strong core-to-core isolation What we don’t know:

  • is the digital system abstraction enough?
  • how can we prove absence of side-channels?
  • how can we insert strong isolation into …
  • existing structures (FPGA, GPU, …)?
  • novel materials structures

(transistor-granular reconf. circuits, …)?