Upload
dinhminh
View
225
Download
0
Embed Size (px)
Citation preview
SESSION ID:SESSION ID:
#RSAC
Dr. Dacheng Zhang
Intrusion Tolerance for CT Cloud Security
SPO1-W06B
#RSAC
Agenda
Designing Security Arch. for CT Clouds
Strategies for New Technologies
Conclusions
New Security Risks in CT Clouds
#RSAC
Transforming Telecom Infrastructure Cloud
EthSwitch
WDM WDMBackbone
Router RouterEthSwitch
Hardware
RRU
RRU
RRU
HardwareCPRI
Hardware
Service Cloud
WDM WDMMetro
Operation Cloud
Control Cloud
CloudEdgeCloud Baseband
MxU
ONT
ONT
DSLHardware
PON Cloud DSL/OLT
DynamicEfficient Scalable Automated Open
#RSAC
Dynamic Controlled Networks and Vast Virtual Resources
NFVReduce rigidity of
Network APPs
Separation of Hardware and softwareSeparation of service logic and data
SDNEnable Flexibility of Underlay Network
Now: Native Centralized Control plane + GTP overlay
Future: Air interface / Gi LAN Flexibility
NaaS / IaaS / PaaS / SaaS
Cloud ComputingEverything as a Service
#RSAC
Diverse Adversaries
Curiosity
Revenge
Monetary gain
Industrial espionage
National security
Adversary
Motives
Hackers and “script-kiddies”
Insiders with technical knowledge
Cyber-”defense” experts
Competitors
Cyber-criminals
Secure design
Security monitoring and management
#RSAC
New Features and the Associated Risks
Fast service provision and abundant service choices.Can not fully verify the quality of security for each iteration, business runs with vulnerabilities
Avoid vendor lock-in and open telecom resources to customers. Security varies greatly. Identifying attack source is difficult, vulnerability response and recovery can be delayed.
From “Distributed” operation to “centralized” operation. Single point of failure, hijack control, denial of service become a large risk
Centralized data hosting
Carrier opens platform to multiple stakeholders to drive and enhance the customer experience. Access control failures and resource abuse become a significant risk
• Value of data increases dramatically
Widening of services into many critical industries
Connectivity of everything
Harsh running environment and weak security defense measures
Forbes: A hacker's attack at the computer system of a plane leads to the voyage route derivation.
BlackHat 2016: Hackers Charlie Miller and Chris Valasek remotely controlled the steering wheel of a car through its CAN bus.
OFWeek: The hacker makes a lethal dose of medicine and over-dose anesthetics by remote control over the medical system.
#RSAC
Agenda
Designing Security Arch. for CT Clouds
Strategies for New Technologies
Conclusions
New Security Risks in CT Clouds
#RSAC
Landscape of Telecom Cloud SecurityCloud SecurityPipe Security
Cloud OS/OpenStack (Local Resource, IaaS)
CloudCoreCloudEdge
Cloud OS/OpenStack
CloudBB
DEth+OTN(Metro)
GSM LTEUMTSRNCSRC
SDNController
BRASS/PGWGGSN
FWDPI
vCPE
SBCNAT
D
RRUD
D
NFV Security
Data security(HSM)
Vulnerability and patch Mgmt.
vNetwork isolation
Security integration design and implement procedure
Device Security
Security Tools, Basic Security Engineering Capabilities
Security Orchestration
Trusted computing
IAM
SDN Security
DDoS Detection Based on Big Data and SDN
Security of Northbound Interfaces(Sandbox)
SDN Controller Security
Security of Southbound Interfaces
Network Security
PaaS Security
Dockers Security
Data Encry. & Key Mgmt.
SaaS Security
Sandbox
Micro-Service Security Arch.
Deception
O&M Security
Big data security analytics
Security Visualization Security Asset Mgmt.
Risk Control
Network Attack Detection
Web SecurityWAF/RASP
DB Security
Weak Acc. Detection
Secure Chips
Secure, Isolated Env.
OS Kernel Protection
Key Mgmt./File Encryption
Application Certificate
UUID Hiding
MDM/Mandatory Config.
Side channel Prevention
Trusted Boot
Encryption/Key
ROP Prevention
Application Sandbox
OS Kernel Security Monitoring(HIP)
Device Security
Secure Chips
Key/Encry. SGX
Trusted ComputingSide Channel Protection
ITapps
PaaS
Cloud Security
IaaS Security
VM Escape Detection
Sandbox/SELinux
Tenant Security Services
Host Intrusion Detection
#RSAC
The “wall” Doesn’t Work Anymore
You think you have this:
Well fortified. Secure perimeter protection, anti-virus, firewalls, …
Secure off-the-shelf software systems customized for your business needs and
Coherent self-built system applications.
Very little budget, but you are doing fine, because you never had a breach….
…… until Today.
#RSAC
In Truth…you have this….
towers and walls were built at different times and by different experts,
exposed to outside,
constantly under attack by different adversaries
ever shifting patterns and new approaches to overcome your defences….
the cost of wall becomes high, and the wall will eventually affect the development of cities
#RSAC
Change the Game - The “Wall” Doesn’t Work Any More
Observe
Orient
Decide
ActO
O
D
AO
O
D
A
Defender
Attacker
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
ActO
bserve
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
We need a new Defense Model: Static Threats & Defense => Dynamic Threats & Defense (OODA Loop (Observe-Orient-Decide-Act))
#RSAC
Security Everywhere is Not EnoughThe Byzantine Generals' Problem
Loyal generals will have a unanimous agreement on their strategy with the presence of traitorous generals
The basic idea and method of resolving the Byzantine failure problem can be applied to the cloud environment security(References: OASIS, MAFTIA:Malicious-and Accidental-Fault Tolerance, EU Funded Project 2003)
Risk Assumptions…
The ecosystem is definitely not
reliable.
A single point will
have a fault surely.
A network will be
compromised for certain.
#RSAC
Security 1.0 => Security 3.0
Restricting the attacker Trusted Computing Access control Cryptography Defense in Depth
Enable Defender(Observe), restrict attacker Intrusion Detection Intrusion Prevention Boundary Control Security isolation
Design to SurviveEnable Defender (Orient, Act, Cycle) Protection Detection Response Recovery
Ecosystem
is unreliable
Network will
breakSingle point will
be a problem
Security 1.0 Security 2.0 Security 3.0
#RSAC
Intrusion Tolerance TechnologiesDistributed Consensuses:e.g., PBFT,Paxos, Block Chain, etc.
Decision made by a group
Proactive Recovery: Self Cleansing Intrusion TolerancePeriodically transfer the system into a trusted state, and break the attack chain
Threshold Cryptography:Keep the secret secure until a certain number of components have been compromised
Diversity Design: avoid Common Mode Failures
Lateral Movement
Command and ControlInitial Infection Data ExfiltrationReconnaissance
#RSAC
Encrypted Storage
Data
Encryption Key
Root Key
Root Key for Root Key
Seal in TPM
SK
SRK
EK
HSM
Cost
Security
An Application Example
#RSAC
Encrypted Storage
Data
Encryption Key
Root Key
Root Key p
Sub-Root Key d1
Sub-Root Key d2
Sub-Root Key dt
p=d1+d2+. ,dt
Cost
Security
In the case of a security requires them to continuously improve before, using a simple chain of trust chain method (construction, and maintenance) cost is increasing exponentially.
An Application Example
#RSAC
G V I
IR
FS
MC
UC F
GD
An attacker attempts to intrude the
system
1) Intrusion Prevention mechanisms
The attacker intrudes the system and
causes errors
2) Mask the intrusion effects
without detecting the intrusion
3) The intrusion is detected, start the response
4) Recovery the system without
any degradation
Failed in either detecting or masking
the intrusion
5) Ensure the provision of key services
6) Stop the system before
causing un-bearable damages
The system works properly
The system
fails
UC Undetected Compromised. System fails without detecting the intrusionFS Fail-Safe. the System fails but the damage is bearableGD Graceful Degradation. Guarantee the provision of important services,
maybe with some degradationF Failure. System fails without control
What an Intrusion Tolerant System Would Do1) Intrusion Prevention
Security EnhancementNetwork IsolationAccess ControlPatches…
2) Intrusion Mask
Separation of Three PowersSecurity Arch.Threshold Crypto.Elastic ExpansionSystem Re-initiation
3) Intrusion Detection
Big DataMachine LearningAIRemote Attestation
G Good. System works properlyV Vulnerability. The attacker starts accessing vulnerabilitiesI Intrusion. The attacker intrudes the systemMC Masked Compromised. Mask the intrusion and its affects
4) Intrusion Response
Auto Scale OutAutomated Switch OverPolicy Automation
5) GD
Priority Management of ServicesRate LimitDelayed Response
6) Fail-Safe
Stop systemDisable user accountCrypto key updateErase compromised user data
References: Information assurance-dependability and security in network systems
#RSAC
Agenda
Designing Security Arch. for CT Clouds
Strategies for New Technologies
Conclusions
New Security Risks in CT Clouds
#RSAC
Trusted Computing Access control Cryptography Defense in
Depth
Strategy for New TechnologiesDetectionPrevention Boundary Control Security isolation
Vulnerability ManagementSystem HardeningMaintenance Response
RASP: Runtime application self protection
The diagrams on this page are from the internet
#RSAC
Development of Anti-DDoS
Switch
Router
Centralized Cleaning Device
Anti-DDoS
C
C C
Backbone Network
Big Data Intelligence
Center
Router
Router Router
SDN controller
Service Orchestrator
SDN+Big Data Cleaning Collaboration of Operators
IPFIX/NetFlow Policy
Event
Cloud Signaling
On-siteDDoS defense system
Cleaning Center
Detecting Center
Management Center
Link Level Operator Level Global Level
#RSAC
Evolution of Sandbox for advanced malware attack
1st Generation
Pure Software ModuleInstruction Interpretation
Partial OS EmulationScalability?
1995 - Today
3rd Generation: Hypervisor + Big Data/Deep Learning
2nd Generation
Virtual Machine BasedHooking/Driver/Agent
Predefined Behavior WeightsEvasion? FPR is high!
2007 - Today
TOBE
LibVMI
VMI App
Sync handler
Aync handlerEvent
Channel
Secure VM
Hypervisor Introspection
VM OS Kernel
VM users spaceprocesses
Malwareprocess
VM IntrospectionLibVMI
Intel CPU VT/EPT
Big Data AnalysisMachine Learning
Deep LearningNeural Network
Anti-evasion!Granularity!
Visibility!High TPR!Low FPR!
Automated!
2017-
#RSAC
Agenda
Designing Security Arch. for CT Cloud
Strategies for new Technologies
Conclusions
New Security Risks in CT Clouds
#RSAC
Conclusions
There are always vulnerabilities and drawbacks in a system, which could be exploited by attackers Instead of relying on total attack preventions, we need to accept the truth that the system may always be intrudedInstead of relying on the security capability of every single entity, we need to consider what to do after a single point has been compromised— However, this does not mean the protection on critical components will not be
important any more
#RSAC
“Apply” Slide
24
Next week you should:Revise your security assumption based on your adversary Identify all valuable assets and critical components
In the first three months following this presentation you should:Review your existing security solutions and analyze whether they have considered all the issues mentioned in the Intrusion Tolerant Security Architecture
Within six months you should:Implement first security mechanisms with intrusion tolerant capabilities to protect your critical properties on a risk-based approach (i.e. where needed).
#RSAC
Thank You!