Minimal Trusted Computing Base for Critical Infrastructure Protection

Velagapalli, Arun

17 August 2013

Critical infrastructures like oil & gas, power grids, water treatment facilities, domain name system (DNS) etc., are attractive targets for attackers — both due to the potential impact of attacks on such systems, and due to the enormous attack surface exposed by such systems. Unwarranted functionality in the form of accidental bugs or maliciously inserted hidden functionality in any component of a system could potentially be exploited by attackers to launch attacks on the system. As it is far from practical to root out undesired functionality in every component of a complex system, it is essential to develop security measures for protecting CI systems that rely only on the integrity of a small number of carefully constructed components, identified as the trusted computing base (TCB) for the system. The broad aim of this dissertation is to characterize elements of the TCB for critical infrastructure systems, and outline strategies to leverage the TCB to secure CI systems. A unified provider-middleman-consumer (PMC) view of systems was adopted to characterize systems as being constituted by providers of data, untrusted middlemen, and consumers of data. As the goal of proposed approach is to eliminate the need to trust most components of a system to be secured, most components of the system are considered to fall under the category of “untrusted middlemen.” From this perspective, the TCB for the system is a minimal set of trusted functionality required to verify that the tasks performed by the middle-men will not result in violation of the desired assurances. Specific systems that were investigated in this dissertation work to characterize the minimal TCB included the domain name system (DNS), dynamic DNS, and Supervisory Control and Data Acquisition (SCADA) systems that monitor/control various CI systems. For such systems, this dissertation provides a comprehensive functional specification of the TCB, and outlines security protocols that leverage the trust in TCB functionality to realize the desired assurances regarding the system.

Critical Infrastructure

Security

DNS

DNSSEC

SCADA security

Data Dissemination Systems

Trusted Computing base

TCG

Trusted Module

Design and analysis of a trustworthy, Cross Domain Solution architecture

Daughety, Nathan

23 August 2022

No description available.

Computer Science

Cross Domain Solution

Trustworthiness

Trusted Computing Base

Data Confidentiality

Formal Verification

Security Analysis

Enhancing security in distributed systems with trusted computing hardware

Reid, Jason Frederick

January 2007

The need to increase the hostile attack resilience of distributed and internet-worked computer systems is critical and pressing. This thesis contributes to concrete improvements in distributed systems trustworthiness through an enhanced understanding of a technical approach known as trusted computing hardware. Because of its physical and logical protection features, trusted computing hardware can reliably enforce a security policy in a threat model where the authorised user is untrusted or when the device is placed in a hostile environment. We present a critical analysis of vulnerabilities in current systems, and argue that current industry-driven trusted computing initiatives will fail in efforts to retrofit security into inherently flawed operating system designs, since there is no substitute for a sound protection architecture grounded in hardware-enforced domain isolation. In doing so we identify the limitations of hardware-based approaches. We argue that the current emphasis of these programs does not give sufficient weight to the role that operating system security plays in overall system security. New processor features that provide hardware support for virtualisation will contribute more to practical security improvement because they will allow multiple operating systems to concurrently share the same processor. New operating systems that implement a sound protection architecture will thus be able to be introduced to support applications with stringent security requirements. These can coexist alongside inherently less secure mainstream operating systems, allowing a gradual migration to less vulnerable alternatives. We examine the effectiveness of the ITSEC and Common Criteria evaluation and certification schemes as a basis for establishing assurance in trusted computing hardware. Based on a survey of smart card certifications, we contend that the practice of artificially limiting the scope of an evaluation in order to gain a higher assurance rating is quite common. Due to a general lack of understanding in the marketplace as to how the schemes work, high evaluation assurance levels are confused with a general notion of 'high security strength'. Vendors invest little effort in correcting the misconception since they benefit from it and this has arguably undermined the value of the whole certification process. We contribute practical techniques for securing personal trusted hardware devices against a type of attack known as a relay attack. Our method is based on a novel application of a phenomenon known as side channel leakage, heretofore considered exclusively as a security vulnerability. We exploit the low latency of side channel information transfer to deliver a communication channel with timing resolution that is fine enough to detect sophisticated relay attacks. We avoid the cost and complexity associated with alternative communication techniques suggested in previous proposals. We also propose the first terrorist attack resistant distance bounding protocol that is efficient enough to be implemented on resource constrained devices. We propose a design for a privacy sensitive electronic cash scheme that leverages the confidentiality and integrity protection features of trusted computing hardware. We specify the command set and message structures and implement these in a prototype that uses Dallas Semiconductor iButtons. We consider the access control requirements for a national scale electronic health records system of the type that Australia is currently developing. We argue that an access control model capable of supporting explicit denial of privileges is required to ensure that consumers maintain their right to grant or withhold consent to disclosure of their sensitive health information in an electronic system. Finding this feature absent in standard role-based access control models, we propose a modification to role-based access control that supports policy constructs of this type. Explicit denial is difficult to enforce in a large scale system without an active central authority but centralisation impacts negatively on system scalability. We show how the unique properties of trusted computing hardware can address this problem. We outline a conceptual architecture for an electronic health records access control system that leverages hardware level CPU virtualisation, trusted platform modules, personal cryptographic tokens and secure coprocessors to implement role based cryptographic access control. We argue that the design delivers important scalability benefits because it enables access control decisions to be made and enforced locally on a user's computing platform in a reliable way.

trusted computing

trusted computing hardware

trusted systems

operating system security

distributed systems security

smart card

security evaluation

tamper resistance

distance bounding protocol

side channel leakage

electronic cash

electronic health records

role-based access control

Radium: Secure Policy Engine in Hypervisor

Shah, Tawfiq M.

08 1900

The basis of today’s security systems is the trust and confidence that the system will behave as expected and are in a known good trusted state. The trust is built from hardware and software elements that generates a chain of trust that originates from a trusted known entity. Leveraging hardware, software and a mandatory access control policy technology is needed to create a trusted measurement environment. Employing a control layer (hypervisor or microkernel) with the ability to enforce a fine grained access control policy with hyper call granularity across multiple guest virtual domains can ensure that any malicious environment to be contained. In my research, I propose the use of radium's Asynchronous Root of Trust Measurement (ARTM) capability incorporated with a secure mandatory access control policy engine that would mitigate the limitations of the current hardware TPM solutions. By employing ARTM we can leverage asynchronous use of boot, launch, and use with the hypervisor proving its state and the integrity of the secure policy. My solution is using Radium (Race free on demand integrity architecture) architecture that will allow a more detailed measurement of applications at run time with greater semantic knowledge of the measured environments. Radium incorporation of a secure access control policy engine will give it the ability to limit or empower a virtual domain system. It can also enable the creation of a service oriented model of guest virtual domains that have the ability to perform certain operations such as introspecting other virtual domain systems to determine the integrity or system state and report it to a remote entity.

Trusted computing

TPM remote attestation

trusted boot

ORTM

SRTM

XEN

XSM

Computer architecture.

Computer security.

System design.

Improving System Security Through TCB Reduction

Kauer, Bernhard

15 December 2014

The OS (operating system) is the primary target of todays attacks. A single exploitable defect can be sufficient to break the security of the system and give fully control over all the software on the machine. Because current operating systems are too large to be defect free, the best approach to improve the system security is to reduce their code to more manageable levels. This work shows how the security-critical part of the OS, the so called TCB (Trusted Computing Base), can be reduced from millions to less than hundred thousand lines of code to achieve these security goals. Shrinking the software stack by more than an order of magnitude is an open challenge since no single technique can currently achieve this. We therefore followed a holistic approach and improved the design as well as implementation of several system layers starting with a new OS called NOVA. NOVA provides a small TCB for both newly written applications but also for legacy code running inside virtual machines. Virtualization is thereby the key technique to ensure that compatibility requirements will not increase the minimal TCB of our system. The main contribution of this work is to show how the virtual machine monitor for NOVA was implemented with significantly less lines of code without affecting the performance of its guest OS. To reduce the overall TCB of our system, other parts had to be improved as well. Additional contributions are the simplification of the OS debugging interface, the reduction of the boot stack and a new programming language called B1 that can be more easily compiled.

info:eu-repo/classification/ddc/004

ddc:004

TCB Minimizing Model of Computation (TMMC)

Bushra, Naila

13 December 2019

The integrity of information systems is predicated on the integrity of processes that manipulate data. Processes are conventionally executed using the conventional von Neumann (VN) architecture. The VN computation model is plagued by a large trusted computing base (TCB), due to the need to include memory and input/output devices inside the TCB. This situation is becoming increasingly unjustifiable due to the steady addition of complex features such as platform virtualization, hyper-threading, etc. In this research work, we propose a new model of computation - TCB minimizing model of computation (TMMC) - which explicitly seeks to minimize the TCB, viz., hardware and software that need to be trusted to guarantee the integrity of execution of a process. More specifically, in one realization of the model, the TCB can be shrunk to include only a low complexity module; in a second realization, the TCB can be shrunk to include nothing, by executing processes in a blockchain network. The practical utilization of TMMC using a low complexity trusted module, as well as a blockchain network, is detailed in this research work. The utility of the TMMC model in guaranteeing the integrity of execution of a wide range of useful algorithms (graph algorithms, computational geometric algorithms, NP algorithms, etc.), and complex large-scale processes composed of such algorithms, are investigated.

Trusted Computing Base

minimal TCB

trusted execution

blockchain

two-party prover-verifier protocol

Authenticated Data Structure

Ordered Merkle Tree

Architectural Enhancements to Increase Trust in Cyber-Physical Systems Containing Untrusted Software and Hardware

Farag, Mohammed Morsy Naeem

25 October 2012

Embedded electronics are widely employed in cyber-physical systems (CPSes), which tightly integrate and coordinate computational and physical elements. CPSes are extensively deployed in security-critical applications and nationwide infrastructure. Perimeter security approaches to preventing malware infiltration of CPSes are challenged by the complexity of modern embedded systems incorporating numerous heterogeneous and updatable components. Global supply chains and third-party hardware components, tools, and software limit the reach of design verification techniques and introduce security concerns about deliberate Trojan inclusions. As a consequence, skilled attacks against CPSes have demonstrated that these systems can be surreptitiously compromised. Existing run-time security approaches are not adequate to counter such threats because of either the impact on performance and cost, lack of scalability and generality, trust needed in global third parties, or significant changes required to the design flow. We present a protection scheme called Run-time Enhancement of Trusted Computing (RETC) to enhance trust in CPSes containing untrusted software and hardware. RETC is complementary to design-time verification approaches and serves as a last line of defense against the rising number of inexorable threats against CPSes. We target systems built using reconfigurable hardware to meet the flexibility and high-performance requirements of modern security protections. Security policies are derived from the system physical characteristics and component operational specifications and translated into synthesizable hardware integrated into specific interfaces on a per-module or per-function basis. The policy-based approach addresses many security challenges by decoupling policies from system-specific implementations and optimizations, and minimizes changes required to the design flow. Interface guards enable in-line monitoring and enforcement of critical system computations at run-time. Trust is only required in a small set of simple, self-contained, and verifiable guard components. Hardware trust anchors simultaneously addresses the performance, flexibility, developer productivity, and security requirements of contemporary CPSes. We apply RETC to several CPSes having common security challenges including: secure reconfiguration control in reconfigurable cognitive radio platforms, tolerating hardware Trojan threats in third-party IP cores, and preserving stability in process control systems. High-level architectures demonstrated with prototypes are presented for the selected applications. Implementation results illustrate the RETC efficiency in terms of the performance and overheads of the hardware trust anchors. Testbenches associated with the addressed threat models are generated and experimentally validated on reconfigurable platform to establish the protection scheme efficacy in thwarting the selected threats. This new approach significantly enhances trust in CPSes containing untrusted components without sacrificing cost and performance. / Ph. D.

Hardware Trojans

Reconfigurable Hardware

Embedded Systems Security

Cognitive radio networks

Trusted Computing

Cyber-Physical Systems

Process Control Systems

Enhancing Trust in Reconfigurable Hardware Systems

Venugopalan, Vivek

01 March 2017

A Cyber-Physical System (CPS) is a large-scale, distributed, embedded system, consisting of various components that are glued together to realize control, computation and communication functions. Although these systems are complex, they are ubiquitous in the Internet of Things (IoT) era of autonomous vehicles/drones, smart homes, smart grids, etc. where everything is connected. These systems are vulnerable to unauthorized penetration due to the absence of proper security features and safeguards to protect important information. Examples such as the typewriter hack involving subversive chips resulting in leakage of keystroke data and hardware backdoors crippling anti-aircraft guns during an attack demonstrate the need to protect all system functions. With more focus on securing a system, trust in untrusted components at the integration stage is of a higher priority. This work builds on a red-black security system, where an architecture testbed is developed with critical and non-critical IP cores and subjected to a variety of Hardware Trojan Threats (HTTs). These attacks defeat the classic trusted hardware model assumptions and demonstrate the ability of Trojans to evade detection methods based on physical characteristics. A novel metric is defined for hardware Trojan detection, termed as HTT Detectability Metric (HDM) that leverages a weighted combination of normalized physical parameters. Security analysis results show that using HDM, 86% of the implemented Trojans were detected as compared to using power consumption, timing variation and resource utilization alone. This led to the formulation of the security requirements for the development of a novel, distributed and secure methodology for enhancing trust in systems developed under untrusted environments called FIDelity Enhancing Security (FIDES). FIDES employs a decentralized information flow control (DIFC) model that enables safe and distributed information flows between various elements of the system such as IP cores, physical memory and registers. The DIFC approach annotates/tags each data item with its sensitivity level and the identity of the participating entities during the communication. Trust enhanced FIDES (TE-FIDES) is proposed to address the vulnerabilities arising from the declassification process during communication between third-party soft IP cores. TE-FIDES employs a secure enclave approach for preserving the confidentiality of the sensitive information in the system. TE-FIDES is evaluated by targeting an IoT-based smart grid CPS application, where malicious third-party soft IP cores are prevented from causing a system blackout. The resulting hardware implementation using TE-FIDES is found to be resilient to multiple hardware Trojan attacks. / Ph. D.

Secure Computing

Trusted Computing

Resilient Computing

Root of Trust

Hardware Trojans

Cyber Physical System Security

Embedded Systems

Reconfigurable Hardware

Comparative Study of Network Access Control Technologies

Qazi, Hasham Ud Din

January 2007

<p>This thesis presents a comparative study of four Network Access Control (NAC) technologies; Trusted Network Connect by the Trusted Computing group, Juniper Networks, Inc.’s Unified Access Control, Microsoft Corp.’s Network Access Protection, and Cisco Systems Inc.’s Network Admission Control. NAC is a vision, which utilizes existing solutions and new technologies to provide assurance that any device connecting to a network policy domain is authenticated and is subject to the network’s policy enforcement. Non-compliant devices are isolated until they have been brought back to a complaint status. We compare the NAC technologies in terms of architectural and functional features they provide.</p><p>There is a race of NAC solutions in the marketplace, each claiming their own definition and terminology, making it difficult for customers to adopt such a solution, resulting in much uncertainty. The NAC paradigm can be classified into two categories: the first category embraces open standards; the second follows proprietary standards. By selecting these architectures, we cover a representative set of proprietary and open standards-based NAC technologies.</p><p>This study concludes that there is a great need for standardization and interoperability of NAC components and that the four major solution proposals that we studied fall short of the desired interoperability. With standards, customers have the choice to adopt solution components from different vendors, selecting, what is commonly referred to as the best of breed. One example for a standard technology that all four NAC technologies that we studied did adopt is the IEEE’s 802.1X port-based access control technology. It is used to control endpoint device access to the network.</p><p>One shortcoming that most NAC architectures (with the exception of Trusted Network Connect) have in common, is the lack of a strong root-of-trust. Without it, clients’ compliance measurements cannot be trusted by the policy server whose task is to assess each client’s policy compliance.</p>

NAC

Network Access Control

Trusted Platform Module

Trusted Computing Group

Trusted Network Connect

Network Access Protection

Network Admission Control

802.1X

root of trust

Computer science

Datavetenskap

Security for Rural Public Computing

Ur Rahman, Sumair

January 2008

Current research on securing public computing infrastructure like Internet kiosks has focused on the use of smartphones to establish trust in a computing platform or to offload the processing of sensitive information, and the use of new cryptosystems such as Hierarchical Identity-based Encryption (HIBE) to protect kiosk user data. Challenges posed by rural kiosks, specifically (a) the absence of specialized hardware features such as Trusted Platform Modules (TPMs) or a modifiable BIOS in older recycled PCs, (b) the potential use of periodically disconnected links between kiosks and the Internet, (c) the absence of a production-ready implementation of HIBE and (d) the limited availability of smartphones in most developing regions make these approaches difficult, if not impossible, to implement in a rural public computing scenario. In this thesis, I present a practical, unobtrusive and easy-to-use security architecture for rural public computing that uses a combination of physical and cryptographic mechanisms to protect user data, public computing infrastructure and handheld devices that access this infrastructure. Key contributions of this work include (a) a detailed threat analysis of such systems with a particular focus on rural Internet kiosks and handheld devices, (b) a security architecture for rural public computing infrastructure that does not require any specialized hardware, (c) an application-independent and backward-compatible security API for securely sending and receiving data between these systems and the Internet that can operate over delay tolerant links, (d) an implementation of my scheme for rural Internet kiosks and (e) a performance evaluation of this implementation to demonstrate its feasibility.

security

trusted computing

developing regions

cryptography

trusted public computing

rural public computing

public key infrastructure

computer networks

distributed systems

delay tolerant networks

security architecture

Computer Science