Computer Security InnovationComputer Security Innovation

IMHOIMHO

Presented for your consideration by: Presented for your consideration by: Fred SeigneurFred Seigneur

2014 Cybersecurity Innovation 2014 Cybersecurity Innovation ForumForum

In January 2014, I attended the In January 2014, I attended the 2014 Cybersecurity Innovation Forum2014 Cybersecurity Innovation Forum, in , in Baltimore.Baltimore.

One reason I attended was that I was One reason I attended was that I was impressed with the Forum’s stated vision.impressed with the Forum’s stated vision.

2014 Cybersecurity Innovation 2014 Cybersecurity Innovation Forum – Forum – Background and VisionBackground and Vision

In spite of this insightful and accurate assessment that our current approach to Cybersecurity is unsustainable, and non-scalable, rather little innovation to “define and embrace a fundamentally different approach to enterprise architecture security – one that builds security in from the beginning as a robust and solid foundation upon which to conduct our transactions” was presented.

Foundational WeaknessesFoundational Weaknesses

Helms DeepHelms Deep

Photo Source

Foundational WeaknessesFoundational Weaknesses

Such weaknesses exist, but are poorly understood and generally ignored

Photo Source

Computer Security - Defense in DepthComputer Security - Defense in Depth

Helms Deep had Defense in DepthHelms Deep had Defense in DepthPhoto Source

Computer Security - Defense in DepthComputer Security - Defense in Depth

But, the fatal flaw was in the foundationBut, the fatal flaw was in the foundationPhoto Source

The Root(s) of the ProblemThe Root(s) of the Problem

Today’s Operating Systems are not Today’s Operating Systems are not secure and are too complex to secure by secure and are too complex to secure by retrofit.retrofit.

Few Operating Systems or Applications Few Operating Systems or Applications are rugged. are rugged. Don’t verify inputs.Don’t verify inputs. Crash leaving attack vectors for malicious Crash leaving attack vectors for malicious

code.code.

Most current security “solutions” are Most current security “solutions” are “Band-Aid” approaches.“Band-Aid” approaches.

Operating Systems and Applications Operating Systems and Applications Lack a Basic Immune SystemLack a Basic Immune System

Like someone who must be Like someone who must be protected by an external protected by an external bubblebubble

What’s wrong with this What’s wrong with this picture?picture?

David Vetter, a young boy from Texas, lived David Vetter, a young boy from Texas, lived his life - in a plastic bubble. Nicknamed his life - in a plastic bubble. Nicknamed "Bubble Boy," David was born in 1971 with "Bubble Boy," David was born in 1971 with severe combined immunodeficiency, and severe combined immunodeficiency, and was forced to live in a specially constructed was forced to live in a specially constructed sterile plastic bubble from birth until he died sterile plastic bubble from birth until he died at age 12. (The photo is from a movie at age 12. (The photo is from a movie based, inappropriately, on David’s plight.)based, inappropriately, on David’s plight.)

Photo Source

Foundational Immune System Deficiencies Foundational Immune System Deficiencies

Two very serious foundational software Two very serious foundational software problemsproblems

Operating SystemsOperating Systems Applications SoftwareApplications Software

Both of these have the same root causeBoth of these have the same root cause

Software Developers do not write robust Software Developers do not write robust code. Why?code. Why?

They don’t know howThey don’t know how They don’t know why it’s importantThey don’t know why it’s important They did not learn how, or why it’s so criticalThey did not learn how, or why it’s so critical

Foundational Immune Foundational Immune Deficiencies (Cont.)Deficiencies (Cont.)

Two very serious foundational Two very serious foundational educational problemseducational problems

Software developers have NOT been Software developers have NOT been taught why or how to write robust and taught why or how to write robust and defensive code.defensive code.

Many CS Professors don’t know how to Many CS Professors don’t know how to write robust and defensive code, or why it write robust and defensive code, or why it is necessary to teach it.is necessary to teach it.

Long Term SolutionsLong Term Solutions Better EducationBetter Education

Better Computer Security EducationBetter Computer Security Education Better CS and Engineering EducationBetter CS and Engineering Education Include Basic Computer Security Education Include Basic Computer Security Education

Thread in Virtually All University/College Thread in Virtually All University/College DepartmentsDepartments

Create Demand for Foundational Security Create Demand for Foundational Security SolutionsSolutions IT Procurement Authorities & StaffIT Procurement Authorities & Staff UsersUsers University/College Accreditation AuthoritiesUniversity/College Accreditation Authorities

How Can This be Done?How Can This be Done? Some Universities understand these Some Universities understand these

issuesissues A few Educational Institutions have A few Educational Institutions have

realized that they can differentiate realized that they can differentiate themselves in the educational market by themselves in the educational market by implementing steps such as those above.implementing steps such as those above.

The Current State of Cyber The Current State of Cyber Security PracticeSecurity Practice

Patch known holesPatch known holes

Hope we fixed ALL the holesHope we fixed ALL the holes

Small leaks can get bigger and Small leaks can get bigger and some still remain undetectedsome still remain undetected

But, then …But, then …

It is not IF your dam will break, it’s WHENIt is not IF your dam will break, it’s WHEN

Plan AheadPlan Ahead

Your dam WILL breakYour dam WILL break Start planning a downstream dam ASAPStart planning a downstream dam ASAP Existing components, available today, can be Existing components, available today, can be

integrated to create a Secure Computing integrated to create a Secure Computing InFrastructure (SCIF*)InFrastructure (SCIF*)

* SCIF – A compartmentalized infrastructure for * SCIF – A compartmentalized infrastructure for processing sensitive informationprocessing sensitive information

Secure Computing InfrastructureSecure Computing InfrastructurePreliminary Block DiagramPreliminary Block Diagram

User M

od

e Pa

rtition

s

TrustedNetworkDrivers

Erlang Virtual

Machine

Separation Kernel (seL4)

Hardware w/Trusted Platform Module (TPM)

Ke

rnel

Mo

de

User 1 Erlang

Program

User n Erlang

Program

Encryption

Services

Secure Computing Secure Computing InfrastructureInfrastructure

The block diagram in the previous slide is for the basic SCIF. It can The block diagram in the previous slide is for the basic SCIF. It can be used in an embedded system (such as IoT) and executes Erlang be used in an embedded system (such as IoT) and executes Erlang functions as transactions. One envisioned application is as a Secure functions as transactions. One envisioned application is as a Secure Network Interface (SNIF), which can be used to verify and Network Interface (SNIF), which can be used to verify and authenticate inputs to and outputs from a secure enclave. With two authenticate inputs to and outputs from a secure enclave. With two or more SCIF boards in a system, fault tolerance is supported using or more SCIF boards in a system, fault tolerance is supported using Erlang fault tolerance.Erlang fault tolerance.

Development of SCIF applications and Administration of the SCIF Development of SCIF applications and Administration of the SCIF and SNIF are supported via Erlang running on a virtualized instance and SNIF are supported via Erlang running on a virtualized instance of Linux, atop seL4. This SCIF Management System (SMS) will also of Linux, atop seL4. This SCIF Management System (SMS) will also be fault tolerant, using Erlang's inherent fault tolerant capabilities.be fault tolerant, using Erlang's inherent fault tolerant capabilities.

The same architecture can be used to host other Linux applications The same architecture can be used to host other Linux applications in a more trusted and fault tolerant environment than with off the in a more trusted and fault tolerant environment than with off the shelf Linux.shelf Linux.

Recent ProgressRecent Progress The Parallella board seems ideally suited for The Parallella board seems ideally suited for

the SCIF prototype. the SCIF prototype. Erlang Virtual Machine runs on Adaptiva EpiphanyErlang Virtual Machine runs on Adaptiva Epiphany Secure seL4 microkernel runs on ARMSecure seL4 microkernel runs on ARM Real-time code on the ARM under seL4 isolates Real-time code on the ARM under seL4 isolates

access to Erlang on the Epiphany chipaccess to Erlang on the Epiphany chip Applications run securely on the Epiphany in Applications run securely on the Epiphany in

Erlang, a functional programming language that Erlang, a functional programming language that supports soft real-time, like a Software Defined supports soft real-time, like a Software Defined Networking (SDN) controllerNetworking (SDN) controller

Phased Integration Plan Phased Integration Plan Proposed by the Secure Computing Proposed by the Secure Computing

Innovation FoundationInnovation Foundation

Phase I – Feasibility StudyPhase I – Feasibility Study Phase II - Proof of Concept/DemonstrationPhase II - Proof of Concept/Demonstration Phase III – Field TrialsPhase III – Field Trials