SESSION ID:SESSION ID:

#RSAC

Dr. Dacheng Zhang

Intrusion Tolerance for CT Cloud Security

SPO1-W06B

dacheng.zhang@huawei.com

#RSAC

Agenda

Designing Security Arch. for CT Clouds

Strategies for New Technologies

Conclusions

New Security Risks in CT Clouds

#RSAC

Transforming Telecom Infrastructure Cloud

EthSwitch

WDM WDMBackbone

Router RouterEthSwitch

Hardware

RRU

RRU

RRU

HardwareCPRI

Hardware

Service Cloud

WDM WDMMetro

Operation Cloud

Control Cloud

CloudEdgeCloud Baseband

MxU

ONT

ONT

DSLHardware

PON Cloud DSL/OLT

DynamicEfficient Scalable Automated Open

#RSAC

Dynamic Controlled Networks and Vast Virtual Resources

NFVReduce rigidity of

Network APPs

Separation of Hardware and softwareSeparation of service logic and data

SDNEnable Flexibility of Underlay Network

Now: Native Centralized Control plane + GTP overlay

Future: Air interface / Gi LAN Flexibility

NaaS / IaaS / PaaS / SaaS

Cloud ComputingEverything as a Service

#RSAC

Diverse Adversaries

Curiosity

Revenge

Monetary gain

Industrial espionage

National security

Adversary

Motives

Hackers and “script-kiddies”

Insiders with technical knowledge

Cyber-”defense” experts

Competitors

Cyber-criminals

Secure design

Security monitoring and management

#RSAC

New Features and the Associated Risks

Fast service provision and abundant service choices.Can not fully verify the quality of security for each iteration, business runs with vulnerabilities

Avoid vendor lock-in and open telecom resources to customers. Security varies greatly. Identifying attack source is difficult, vulnerability response and recovery can be delayed.

From “Distributed” operation to “centralized” operation. Single point of failure, hijack control, denial of service become a large risk

Centralized data hosting

Carrier opens platform to multiple stakeholders to drive and enhance the customer experience. Access control failures and resource abuse become a significant risk

• Value of data increases dramatically

Widening of services into many critical industries

Connectivity of everything

Harsh running environment and weak security defense measures

Forbes: A hacker's attack at the computer system of a plane leads to the voyage route derivation.

BlackHat 2016: Hackers Charlie Miller and Chris Valasek remotely controlled the steering wheel of a car through its CAN bus.

OFWeek: The hacker makes a lethal dose of medicine and over-dose anesthetics by remote control over the medical system.

#RSAC

Agenda

Designing Security Arch. for CT Clouds

Strategies for New Technologies

Conclusions

New Security Risks in CT Clouds

#RSAC

Landscape of Telecom Cloud SecurityCloud SecurityPipe Security

Cloud OS/OpenStack (Local Resource, IaaS)

CloudCoreCloudEdge

Cloud OS/OpenStack

CloudBB

DEth+OTN(Metro)

GSM LTEUMTSRNCSRC

SDNController

BRASS/PGWGGSN

FWDPI

vCPE

SBCNAT

D

RRUD

D

NFV Security

Data security(HSM)

Vulnerability and patch Mgmt.

vNetwork isolation

Security integration design and implement procedure

Device Security

Security Tools, Basic Security Engineering Capabilities

Security Orchestration

Trusted computing

IAM

SDN Security

DDoS Detection Based on Big Data and SDN

Security of Northbound Interfaces(Sandbox)

SDN Controller Security

Security of Southbound Interfaces

Network Security

PaaS Security

Dockers Security

Data Encry. & Key Mgmt.

SaaS Security

Sandbox

Micro-Service Security Arch.

Deception

O&M Security

Big data security analytics

Security Visualization Security Asset Mgmt.

Risk Control

Network Attack Detection

Web SecurityWAF/RASP

DB Security

Weak Acc. Detection

Secure Chips

Secure, Isolated Env.

OS Kernel Protection

Key Mgmt./File Encryption

Application Certificate

UUID Hiding

MDM/Mandatory Config.

Side channel Prevention

Trusted Boot

Encryption/Key

ROP Prevention

Application Sandbox

OS Kernel Security Monitoring（HIP）

Device Security

Secure Chips

Key/Encry. SGX

Trusted ComputingSide Channel Protection

ITapps

PaaS

Cloud Security

IaaS Security

VM Escape Detection

Sandbox/SELinux

Tenant Security Services

Host Intrusion Detection

#RSAC

The “wall” Doesn’t Work Anymore

You think you have this:

Well fortified. Secure perimeter protection, anti-virus, firewalls, …

Secure off-the-shelf software systems customized for your business needs and

Coherent self-built system applications.

Very little budget, but you are doing fine, because you never had a breach….

…… until Today.

#RSAC

In Truth…you have this….

towers and walls were built at different times and by different experts,

exposed to outside,

constantly under attack by different adversaries

ever shifting patterns and new approaches to overcome your defences….

the cost of wall becomes high, and the wall will eventually affect the development of cities

#RSAC

Change the Game - The “Wall” Doesn’t Work Any More

Observe

Orient

Decide

ActO

O

D

AO

O

D

A

Defender

Attacker

Observe

Orient

Decide

Act

Observe

Orient

Decide

Act

Observe

Orient

Decide

Act

Observe

Orient

Decide

ActO

bserve

Orient

Decide

Act

Observe

Orient

Decide

Act

Observe

Orient

Decide

Act

We need a new Defense Model: Static Threats & Defense => Dynamic Threats & Defense (OODA Loop (Observe-Orient-Decide-Act))

#RSAC

Security Everywhere is Not EnoughThe Byzantine Generals' Problem

Loyal generals will have a unanimous agreement on their strategy with the presence of traitorous generals

The basic idea and method of resolving the Byzantine failure problem can be applied to the cloud environment security(References: OASIS, MAFTIA：Malicious-and Accidental-Fault Tolerance, EU Funded Project 2003)

Risk Assumptions…

The ecosystem is definitely not

reliable.

A single point will

have a fault surely.

A network will be

compromised for certain.

#RSAC

Security 1.0 => Security 3.0

Restricting the attacker Trusted Computing Access control Cryptography Defense in Depth

Enable Defender(Observe), restrict attacker Intrusion Detection Intrusion Prevention Boundary Control Security isolation

Design to SurviveEnable Defender (Orient, Act, Cycle) Protection Detection Response Recovery

Ecosystem

is unreliable

Network will

breakSingle point will

be a problem

Security 1.0 Security 2.0 Security 3.0

#RSAC

Intrusion Tolerance TechnologiesDistributed Consensuses：e.g., PBFT，Paxos, Block Chain, etc.

Decision made by a group

Proactive Recovery: Self Cleansing Intrusion TolerancePeriodically transfer the system into a trusted state, and break the attack chain

Threshold Cryptography：Keep the secret secure until a certain number of components have been compromised

Diversity Design: avoid Common Mode Failures

Lateral Movement

Command and ControlInitial Infection Data ExfiltrationReconnaissance

#RSAC

Encrypted Storage

Data

Encryption Key

Root Key

Root Key for Root Key

Seal in TPM

SK

SRK

EK

HSM

Cost

Security

An Application Example

#RSAC

Encrypted Storage

Data

Encryption Key

Root Key

Root Key p

Sub-Root Key d1

Sub-Root Key d2

Sub-Root Key dt

p=d1+d2+. ,dt

Cost

Security

In the case of a security requires them to continuously improve before, using a simple chain of trust chain method (construction, and maintenance) cost is increasing exponentially.

An Application Example

#RSAC

G V I

IR

FS

MC

UC F

GD

An attacker attempts to intrude the

system

1) Intrusion Prevention mechanisms

The attacker intrudes the system and

causes errors

2) Mask the intrusion effects

without detecting the intrusion

3) The intrusion is detected, start the response

4) Recovery the system without

any degradation

Failed in either detecting or masking

the intrusion

5) Ensure the provision of key services

6) Stop the system before

causing un-bearable damages

The system works properly

The system

fails

UC Undetected Compromised. System fails without detecting the intrusionFS Fail-Safe. the System fails but the damage is bearableGD Graceful Degradation. Guarantee the provision of important services,

maybe with some degradationF Failure. System fails without control

What an Intrusion Tolerant System Would Do1) Intrusion Prevention

Security EnhancementNetwork IsolationAccess ControlPatches…

2) Intrusion Mask

Separation of Three PowersSecurity Arch.Threshold Crypto.Elastic ExpansionSystem Re-initiation

3) Intrusion Detection

Big DataMachine LearningAIRemote Attestation

G Good. System works properlyV Vulnerability. The attacker starts accessing vulnerabilitiesI Intrusion. The attacker intrudes the systemMC Masked Compromised. Mask the intrusion and its affects

4) Intrusion Response

Auto Scale OutAutomated Switch OverPolicy Automation

5) GD

Priority Management of ServicesRate LimitDelayed Response

6) Fail-Safe

Stop systemDisable user accountCrypto key updateErase compromised user data

References: Information assurance-dependability and security in network systems

#RSAC

Agenda

Designing Security Arch. for CT Clouds

Strategies for New Technologies

Conclusions

New Security Risks in CT Clouds

#RSAC

Trusted Computing Access control Cryptography Defense in

Depth

Strategy for New TechnologiesDetectionPrevention Boundary Control Security isolation

Vulnerability ManagementSystem HardeningMaintenance Response

RASP: Runtime application self protection

The diagrams on this page are from the internet

#RSAC

Development of Anti-DDoS

Switch

Router

Centralized Cleaning Device

Anti-DDoS

C

C C

Backbone Network

Big Data Intelligence

Center

Router

Router Router

SDN controller

Service Orchestrator

SDN+Big Data Cleaning Collaboration of Operators

IPFIX/NetFlow Policy

Event

Cloud Signaling

On-siteDDoS defense system

Cleaning Center

Detecting Center

Management Center

Link Level Operator Level Global Level

#RSAC

Evolution of Sandbox for advanced malware attack

1st Generation

Pure Software ModuleInstruction Interpretation

Partial OS EmulationScalability?

1995 - Today

3rd Generation: Hypervisor + Big Data/Deep Learning

2nd Generation

Virtual Machine BasedHooking/Driver/Agent

Predefined Behavior WeightsEvasion? FPR is high!

2007 - Today

TOBE

LibVMI

VMI App

Sync handler

Aync handlerEvent

Channel

Secure VM

Hypervisor Introspection

VM OS Kernel

VM users spaceprocesses

Malwareprocess

VM IntrospectionLibVMI

Intel CPU VT/EPT

Big Data AnalysisMachine Learning

Deep LearningNeural Network

Anti-evasion!Granularity!

Visibility!High TPR!Low FPR!

Automated!

2017-

#RSAC

Agenda

Designing Security Arch. for CT Cloud

Strategies for new Technologies

Conclusions

New Security Risks in CT Clouds

#RSAC

Conclusions

There are always vulnerabilities and drawbacks in a system, which could be exploited by attackers Instead of relying on total attack preventions, we need to accept the truth that the system may always be intrudedInstead of relying on the security capability of every single entity, we need to consider what to do after a single point has been compromised— However, this does not mean the protection on critical components will not be

important any more

#RSAC

“Apply” Slide

24

Next week you should:Revise your security assumption based on your adversary Identify all valuable assets and critical components

In the first three months following this presentation you should:Review your existing security solutions and analyze whether they have considered all the issues mentioned in the Intrusion Tolerant Security Architecture

Within six months you should:Implement first security mechanisms with intrusion tolerant capabilities to protect your critical properties on a risk-based approach (i.e. where needed).

#RSAC

Thank You!