protecting data in untrusted locations
play

Protecting Data in Untrusted Locations An exercise in Real World - PowerPoint PPT Presentation

Aug 22, 2022 •300 likes •714 views

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

  1. Protecting Data in Untrusted Locations An exercise in “Real World” threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7

  2. Me. Errday.

  4. Obligatory James Mickens “This World of Ours” reference. Threat Model https://t.co/Ej94YI4Ovr

  5. Obligatory James Mickens “This World of Ours” reference. Threat Model https://t.co/Ej94YI4Ovr

  7. Tweeters gonna tweet

  8. https://t.co/ykdsHGV84r

  9. https://t.co/ykdsHGV84r

  10. https://t.co/ykdsHGV84r

  11. Threat Model Threat Actors: • hackeris vulgaris • organized crime (fsvo “organized”) • local governments or intelligence services • foreign governments or intelligence services

  12. Threat Model Assets: • Physical Equipment • Local Service Access Point • Access/Entry point to Infrastructure • TLS keys

  13. Access/Entry point to Infrastructure • physically protected systems • no “secrets” permanently stored on systems • traffic severely restricted • all traffic must be mutually authenticated

  15. Obligatory XKCD comic. This also works. https://www.xkcd.com/538/

  17. TLS keys

  18. TLS keys Y U NO HSM?

  19. No time to explain - get in the llama!

  23. Booting First time: • boot into single-user mode • generate TPM-backed CSR • submit CSR to service in datacenter • cert generated, used to encrypt client puppet key • encrypted puppet key stored in host image Nth time: • iPXE via TLS • init script decrypts puppet key using TPM • puppet does its thing

  24. “Reflections on Trusting Trust” Obligatory reference. http://cm.bell-labs.com/who/ken/trust.html

  25. Wile E. Coyote has an MBA. Cost of Attack Wile’s ROI Value of Asset

  26. Wile E. Coyote has an MBA. Cost of Attack Wile’s ROI Value of Asset

  27. Raising the cost of attack Wile E. Coyote needs: • physical access • ability to attack running system • persistent undetected presence

  28. Wile E. Coyote has an MBA. Cost of Attack Wile’s ROI Value of Asset

  29. Wile E. Coyote has an MBA. Cost of Attack Wile’s ROI Value of Asset

  30. Reducing the value of TLS keys • Forward Secrecy • tightly scoped certificates • short-lived • alert if observed outside of expected env

  31. Possible scenarios • hardware compromised prior to us racking it • resources compromised through temporary physical access (ACME backdoor) • ACME fake hole, ACME rocket powered roller skates, ACME do-it- yourself tornado kit, ACME earthquake pills, ...

  34. Lessons: You can’t just rub some crypto on it. http://youtu.be/YsY2-yi5W74

  35. Lessons: Know your assets, know your adversaries.

  40. Thanks! (now get in the llama!) Jan Schaumann 54FE 193F 64ED DD0B CFDE @jschauma 40D6 1983 626F 1E52 3D3A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

714 views • 54 slides
Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral

Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral

Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral University of Versailles The need for Open Trusted Data Stores PAGE 2 Virtual teams distributed among space, time and organizations

394 views • 12 slides
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1 Whois Security Architect at Waratek Application security

587 views • 46 slides
MEDIA KIT COVERAGE LOCATIONS English Language Locations Chinese Language Locations Melbourne

MEDIA KIT COVERAGE LOCATIONS English Language Locations Chinese Language Locations Melbourne

SUPER FAST 15 MINS 1300 733 215 UNLIMITED DATA sales@netbaywifi.com.au MEDIA KIT COVERAGE LOCATIONS English Language Locations Chinese Language Locations Melbourne CBD Melbourne CBD Glen Waverly VIC Glen Waverly - VIC Metro

268 views • 5 slides
Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the

Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the

Learning from Untrusted Data Moses Charikar, Jacob Steinhardt, Gregory Valiant Symposium on the Theory of Computing June 19, 2017 (Icon credit: Annie Lin) Motivation: data poisoning attacks: 1 (Icon credit: Annie Lin) Motivation: data

621 views • 48 slides
Sharing and Protecting Data to Improve Student Outcomes Community Schools Community of Practice

Sharing and Protecting Data to Improve Student Outcomes Community Schools Community of Practice

Sharing and Protecting Data to Improve Student Outcomes Community Schools Community of Practice Nov. 16, 2017 Agenda Why sharing and protecting student data matters Sharing data deep dive Protecting data deep dive Tips

313 views • 30 slides
Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6 million 63% Identity fraud is a serious issue. people experienced of confirmed data Fraudsters have identity theft in 2014 breaches involved stolen

605 views • 29 slides
Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

725 views • 50 slides
Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019

Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019

Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019 Konstantinov, Lampert; IST Austria Robust Learning from Untrusted Sources Poster 156 1 / 13 Motivation Collecting data for machine learning

386 views • 28 slides
Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds Frank Wang (MIT

Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds Frank Wang (MIT

Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds Frank Wang (MIT CSAIL) , James Mickens (Harvard), Nickolai Zeldovich (MIT CSAIL), Vinod Vaikuntanathan (MIT CSAIL) 1 Motivation Boston Marathon NY Marathon

1.12k views • 95 slides
Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT

Towards Application Security on Untrusted Operating Systems Dan R. K. Ports Tal Garfinkel MIT CSAIL & VMware VMware Motivation Many applications handle sensitive data financial, medical, insurance, military... credit cards, medical

712 views • 25 slides
Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed Presidents Executive Council on 13 Jan: recommended to proceed with deploying a Sensitive Data Manager tool on all UND owned computers to

321 views • 6 slides
Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data Tyler Hunt , Zhiting Zhu,

Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data Tyler Hunt , Zhiting Zhu,

Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data Tyler Hunt , Zhiting Zhu, Yuanzhong Xu, Simon Peter, Emmett Witchel 1 Disease risk assessment: Trust issues D i s e a s e R i s k 2 Disease risk assessment: Trust

766 views • 57 slides
P Protecting Confidential Data on i C fid i l D Personal Computers with S p torage g

P Protecting Confidential Data on i C fid i l D Personal Computers with S p torage g

P Protecting Confidential Data on i C fid i l D Personal Computers with S p torage g Capsules Kevin Borders, Eric Vander Weele, Billy Lau, and Atul Prakash Problem: Malicious S oftware Computing becomes pervasive, so is malware

524 views • 29 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
32+(40! -$./*0..&!12""0*+0.&

32+(40! -$./*0..&!12""0*+0.&

!"#$%&!#'($)*+, ! "##$%&'()*+,!-!./011+(2+,! Surendra Reddy Optena/Open Cloud Consortium 32+(40! -$./*0..&!12""0*+0.& !"#$%&!#'($)*+,&3/.4$()#*.&2*%& !#*.05$0*60.&

1.14k views • 45 slides
Testing PHP with Perl Chris Shiflett shiflett@php.net Geoffrey Young geoff@modperlcookbook.org

Testing PHP with Perl Chris Shiflett shiflett@php.net Geoffrey Young geoff@modperlcookbook.org

Testing PHP with Perl Chris Shiflett shiflett@php.net Geoffrey Young geoff@modperlcookbook.org 1 Why Perl? Testing has become very fashionable within the Perl community Perl testing tools are mature Some of these tools were

1.06k views • 52 slides
Server side basics 1 CSC 210 Be careful 2 Do not type any command starting with

Server side basics 1 CSC 210 Be careful 2 Do not type any command starting with

Server side basics 1 CSC 210 Be careful 2 Do not type any command starting with sudo into a terminal attached to a university computer. You have complete control over you AWS server, just as you have complete control over

594 views • 56 slides
CS 61: Database Systems Access via programming languages Agenda 1. Direct database access 2.

CS 61: Database Systems Access via programming languages Agenda 1. Direct database access 2.

CS 61: Database Systems Access via programming languages Agenda 1. Direct database access 2. Web APIs 3. Node.js 2 Python can directly query the database Steps to access MySQL from Python 1. Install connector to MySQL: sudo pip install

578 views • 14 slides
Protocol IEEE 802.11 Modeling and Control using DES Jan H. van Schuppen (CWI) with Nishant

Protocol IEEE 802.11 Modeling and Control using DES Jan H. van Schuppen (CWI) with Nishant

Protocol IEEE 802.11 Modeling and Control using DES Jan H. van Schuppen (CWI) with Nishant Paliwal (IT.BHU) S.R. Sreenivas (UIUC.CSL) SYNCHRON.2003, Marseille-Luminy, France 2 December 2003 1 Outline Introduction. Motivation of

788 views • 40 slides
Mobility Management in B3G (Beyond 3G) Networks: Middleware- based Approach ESSPE07 -

Mobility Management in B3G (Beyond 3G) Networks: Middleware- based Approach ESSPE07 -

1 Mobility Management in B3G (Beyond 3G) Networks: Middleware- based Approach ESSPE07 - Dubrovnik, Croatia, September 4, 2007 Lee Rong , Manel Fredj, Valrie Issarny and Nikolaos Georgantas Arles Group, INRIA Paris-Rocquencourt France

520 views • 11 slides
Enabling a robust VOSpace based on iRODS Andr Schaaff, Cyril Pestel Observatoire astronomique

Enabling a robust VOSpace based on iRODS Andr Schaaff, Cyril Pestel Observatoire astronomique

1 Enabling a robust VOSpace based on iRODS Andr Schaaff, Cyril Pestel Observatoire astronomique de Strasbourg CDS iRODS workshop in Lyon 2-5 February 2009 2 2 Plan 2 Context The CDS Data and data centres in the astronomical

688 views • 33 slides
GN2 JRA5: eduroam transition to service TtS meeting, 3rd technical workshop in Cambridge J.

GN2 JRA5: eduroam transition to service TtS meeting, 3rd technical workshop in Cambridge J.

Connect. Communicate. Collaborate GN2 JRA5: eduroam transition to service TtS meeting, 3rd technical workshop in Cambridge J. Rauschenbach, DFN JRA5 Team JRA5 eduroam service Connect. Communicate. Collaborate The first JRA5 service will

981 views • 21 slides

More recommend