Upload
cloudflare
View
8.076
Download
1
Embed Size (px)
DESCRIPTION
In today’s world, you may not know if the hardware you are running software on is secure or not. How can you ensure that, regardless of the hardware security, the software stays protected? CloudFlare’s systems engineer, Nick Sullivan shares advanced techniques on how to protect your server software. These techniques include anti-reverse engineering methods, secure key management and designing a system for renewal.
Citation preview
Nicholas Sullivan Systems Engineer
CloudFlare@grittygrease
Running Secure Server Software on Insecure Hardware without a Parachute
What this talk is aboutu The web is changing — consolidation at the edge u Fundamental assumptions about server security are wrong u How do we design server software with the worst case in mind?
u Distinguish between long and short term secrets u Devise approaches for protecting each
2
Let’s Talk About Web Infrastructure
4
Global Website Traffic
5
Global Website Traffic with CDN
6
Current Map
7
Future Map
8
Future Map
9
Edge Computing Threat Model
Traditional server threat modelu Assume server is secure u Add layers of protection to keep attackers out
u Network layer protection u Operating System Level: principle of least privilege u Protection against maliciously installed code u More advanced barriers
11
Globally distributed serversu Less jurisdictional control = less physical security u Physical access trumps static defense layers !
u Traditional defenses helpful, but not ideal u Cannot rely on security of keys u Single break-in results in immediate compromise
12
A More Effective Approach
Approach system security the ‘DRM way’u Assume attacker has bypassed all static defenses u Goal is to refresh secrets before they are compromised u Split system into long-term secrets and short-term secrets u Focus on renewability of secrets
14
Secrets must be split into two tiersu Long-term Secrets
u Useful for attacker for long period of time u Do not store at the edge !
u Short-term Secrets u Expire after a short period of time u Cannot be re-used
15
Example: Traditional TLS terminationu TLS handshake with nginx and Apache
u SSL keys on disk u Read from disk, use in memory !
u Cryptographic elements at risk if server is compromised u Private key u Session key
16
TLS revisited for untrusted hardwareu Long term secrets
u Private key
!u Short term secrets
u Session key u Session IDs and Session ticket keys u Credentials to access private keys
17
How to Protect Short-term Secrets
Short-term secrets — threat modelu Must live on machines in unsafe locations
u Memory u Control Flow
u By the time a secret is broken, it should be expired u Don’t keep secrets in a useable state u Impose computational cost to retrieve the original secret u Expire secrets quickly
!
19
Techniques from DRM are applicableu White-box cryptography u Code obfuscation
20
Standard Cryptography Threat Model
21
Alice Bob
Eve
White-box Cryptography Threat Model
22
Alice Bob
Eve
White-box Cryptography Threat Model
23
Aleve Bob
White-box cryptographyu Hide the cryptographic key from everyone u Protect against key extraction in the strongest threat model !
u Takes time to extract key — lots of math u Choose difficulty based on secret lifetime
24
White-box cryptography implementations
25
u Commercial products u Irdeto, Arxan, SafeNet, etc.
u Open source u OpenWhiteBox
Code obfuscation
26
Code obfuscationu Making reverse engineering difficult
u Compile-time control-flow modification u Data transformation in memory u Anti-debugging
27
Before
28
After
29
Code obfuscation implementationsu Commercial products
u Arxan, Irdeto, etc. u Open source
u Obfuscator-LLVM
30
Long-term Secrets
Keyless SSLu SSL without keys? Surely you’re joking. u SSL without keys at the edge. That’s better.
32
How Keyless SSL Worksu Split the TLS state machine geographically
u Perform private key operation at site owner’s facility (in HSM, etc) u Perform rest of handshake at edge u Communicate with signing server over mutually authenticated TLS
33
Keyless SSL Diagram
34
35
Conclusion
Conclusionu Untrusted hardware requires a new approach
u Split secrets into long-term and short-term u Design for rapid renewal — replace secrets faster than they can be
broken u Leverage short-term secrets to access long-term secrets
37