Computer Security Innovation

IMHO v5.3

Presented for your consideration by: Fred Seigneur

Copies of the Power Point file will be posted to slide share available at:

http://www.slideshare.net/WFredSeigneur/

2014 Cybersecurity Innovation

Forum In January 2014, I attended the 2014

Cybersecurity Innovation Forum, in

Baltimore.

One reason I attended was that I was

impressed with the Forum’s stated vision.

2014 Cybersecurity Innovation

Forum – Background and Vision

In spite of this insightful and accurate assessment that our current approach to

Cybersecurity is unsustainable, and non-scalable, rather little innovation to

“define and embrace a fundamentally different approach to enterprise architecture

security – one that builds security in from the beginning as a robust and solid

foundation upon which to conduct our transactions” was presented.

Foundational Weaknesses

Helms Deep

Photo Source

Foundational Weaknesses

Such weaknesses exist, but are poorly understood and generally ignored

Photo Source

Computer Security - Defense in Depth

Helms Deep had Defense in Depth Photo Source

Computer Security - Defense in Depth

But, the fatal flaw was in the foundation Photo Source

The Root(s) of the Problem

Today’s Operating Systems are not secure

and are too complex to secure by retrofit.

Few Operating Systems or Applications

are rugged.

Don’t verify inputs.

Crash leaving attack vectors for malicious

code.

Most current security “solutions” are

“Band-Aid” approaches.

Operating Systems and Applications

Lack a Basic Immune System

Like someone who must be

protected by an external

bubble

What’s wrong with this

picture? David Vetter, a young boy from Texas, lived his

life - in a plastic bubble. Nicknamed "Bubble

Boy," David was born in 1971 with severe

combined immunodeficiency, and was forced to

live in a specially constructed sterile plastic

bubble from birth until he died at age 12. (The

photo is from a movie based, inappropriately, on

David’s plight.)

What’s wrong with (motion) picture?

http://www.youtube.com/watch?v=uxKmDWDUZ5A

Photo Source

Foundational Immune System Deficiencies

Two very serious foundational software problems

Operating Systems

Applications Software

Both of these have the same root cause

Software Developers do not write robust code. Why?

They don’t know how

They don’t know why it’s important

They did not learn how, or why it’s so critical

Foundational Immune

Deficiencies (Cont.)

Two very serious foundational educational problems

Software developers have NOT been taught why or how to write robust and defensive code.

Many CS Professors don’t know how to write robust and defensive code, or why it is necessary to teach it.

Long Term Solutions Better Education

Better Computer Security Education

Better CS and Engineering Education

Include Basic Computer Security Education

Thread in Virtually All University/College

Departments

Create Demand for Foundational Security

Solutions

IT Procurement Authorities & Staff

Users

University/College Accreditation Authorities

How Can This be Done?

Some Universities understand these

issues

A few Educational Institutions have

realized that they can differentiate

themselves in the educational market by

implementing steps such as those above.

The Current State of Cyber

Security Practice Patch known holes

Hope we fixed ALL the holes

Small leaks can get bigger and

some still remain undetected

But, then …

It is not IF your dam will break, it’s WHEN

Plan Ahead

Your dam WILL break

Start planning a downstream dam ASAP

Existing components, available today, can be

integrated to create a Secure Computing

InFrastructure (SCIF*)

* SCIF – A compartmentalized infrastructure for

processing sensitive information

Secure Computing Infrastructure (SCIF) The SCIF can be used in an embedded system (such as IoT , Smart

Grid, SDN White Box Switches) or as an SDN Controller and executes

Erlang functions as transactions. One envisioned SCIF application is

as a Secure Network Interface Function (SNIF), which can be used to

authenticate inputs to and outputs from a secure enclave. With two or

more SCIF boards in a system, fault tolerance is supported using

Erlang fault tolerance.

A Trusted SCIF Interactive Development Environment (SIDE) for SCIF

applications, based on SysML and a SCIF Management System (SMS)

for Administration of the SCIF and SNIF are supported via Erlang

running on a virtualized instance of Linux, atop seL4 and will be fault

tolerant, using Erlang's inherent fault tolerance capabilities

The SCIF architecture can be used to host other Linux applications in a

more trusted and fault tolerant environment than with off the shelf

Linux.

Block diagrams for the SCIF hardware and software follow.

Recent Progress The Parallella board seems ideally suited for the SCIF

prototype.

The Erlang Virtual Machine runs on the Adaptiva

Epiphany chip.

The secure seL4 microkernel runs on the ARM Cortex

A9 in the XILINX ZYNQ portion of the Parallella along

with drivers, TCP/IP protocol processing and the

Secure Network Interface Function.

A SCIF is used to

Applications run securely on the Epiphany in Erlang, a

functional programming language that supports soft

real-time, like a Software Defined Networking (SDN)

controller

Photos of Parallella 16 Core Board Top View

Bottom View

Parallella Cluster

Engineer at Twitter builds

Supercomputer Brian’s Parallella

Cluster

Parallella Architecture

Secure Computing InfFastructure

(SCIF*) Software Architecture

User M

od

e P

artitio

ns

Trusted

Device

Drivers

Separation Kernel (seL4)

Hardware w/Trusted Platform Module (TPM)

Kern

el

Mo

de

Trusted

Encryption

Services

Secure

Network

Interface

Function

ARM Cortex A9 on XILIX ZYNQ Adaptiva Epiphany Multi Processor

Erlang

Virtual

Machine

Code

Erlang

Byte

Code

Program 1

Erlang

Byte

Code

Program n

* SCIF – A compartmentalized infrastructure for processing sensitive information

Current Status of Secure

Computing Innovation Foundation SecureComputingInnovationFoundation.org domain name

secured.

Currently, only forwards emails to my gmail account.

I need about $20k now for:

Legal expenses to incorporate as 501 c(3), non profit corporation

Conference registration fees & travel

Any help you give me until I get the non-profit incorporated and

a TIN established at the IRS WILL NOT BE CONSIDERED Tax

Deductible.

AND, I will have to pay personal income tax on what you give.

So, please don’t anyone put down more than $100

Later I will reward your personal and corporate tax deductible

gifts as per the reward categories on the draft at KickStarter

Current Status of Secure

Computing Innovation Foundation

I’m establishing an account at Wells Fargo

Bank for the start-up non-profit.

I will next set up a paypal account for “the

Foundation”.

I originally wanted to get funding for research

by proposing to write a Study Report, like I did

for the ROADS Model on KickStarter.

The project categories and “rewards” from the

draft KickStarter project are now on slide share