Publications
Tagged As
Security considerations for next-generation operating systems for cyber-physical systems
April 15, 2019
Conference Paper
Published in:
1st Intl. Workshop on Next-Generation Operating Systems for Cyber-Physical Systems, NGOSCPS, 15 April 2019.
Topic:
R&D area:
R&D group:
Summary
Cyber-physical systems (CPSs) are increasingly targeted in high-profile cyber attacks. Examples of such attacks include Stuxnet, which targeted nuclear centrifuges; Crashoverride, and Triton, which targeted power grids; and the Mirai botnet, which targeted internet-of-things (IoT) devices such as cameras to carry out a large-scale distributed denial-of-service (DDoS) attack. Such attacks demonstrate the importance of securing current and future cyber-physical systems. Therefore, next-generation operating systems (OSes) for CPS need to be designed to provide security features necessary, as well as be secure in and of themselves. CPSs are designed with one of three broad classes of OSes: (a) bare-metal applications with effectively no operating system, (b) embedded systems executing on impoverished platforms running an embedded or real-time operating system (RTOS) such as FreeRTOS, or (c) more performant platforms running general purpose OSes such as Linux, sometimes tuned for real-time performance such as through the PREEMPT_RT patch. In cases (a) and (b), the OS, if any, is very minimal to facilitate improved resource utilization in real-time or latency-sensitive applications, especially running on impoverished hardware platforms. In such OSes, security is often overlooked, and many important security features (e.g. process/kernel memory isolation) are notably absent. In case (c), the general-purpose OS inherits many of the security-related features that are critical in enterprise and general-purpose applications, such as virtual memory and address-space layout randomization (ASLR). However, the highly complex nature of general-purpose OSes can be problematic in the development of CPSs, as they are highly non-deterministic and difficult to formally reason about for cyber-physical applications, which often have real-time constraints. These issues motivate the need for a next generation OS that is highly capable, predictable and deterministic for real-time performance, but also secure in the face of many of the next generation of cyber threats. In order to design such a next-generation OS, it is necessary to first reflect on the types of threats that CPSs face, including the attacker intentions and types of effects that can be achieved, as well as the type of access that attackers have. While threat models are not the same for all CPSs, it is important to understand how the threat models for CPSs compare to general-purpose or enterprise computing environments. We discuss these issues next (Sec. 2), before providing insights and recommendations for approaches to incorporate in next-generation OSes for CPS in Sec. 3.
Summary
Cyber-physical systems (CPSs) are increasingly targeted in high-profile cyber attacks. Examples of such attacks include Stuxnet, which targeted nuclear centrifuges; Crashoverride, and Triton, which targeted power grids; and the Mirai botnet, which targeted internet-of-things (IoT) devices such as cameras to carry out a large-scale distributed denial-of-service (DDoS) attack. Such attacks...
READ MORE
Secure input validation in Rust with parsing-expression grammars
January 1, 2019
Thesis
Published in:
Thesis (M.E.)--Massachusetts Institute of Technology, 2019.
Topic:
R&D group:
Summary
Accepting input from the outside world is one of the most dangerous things a system can do. Since type information is lost across system boundaries, systems must perform type-specific input handling routines to recover this information. Adversaries can carefully craft input data to exploit any bugs or vulnerabilities in these routines, thereby causing dangerous memory errors. Including input validation routines in kernels is especially risky. Sensitive memory contents and powerful privileges make kernels a preferred target of attackers. Furthermore, the fact that kernels must process user input, network data, as well as input from a wide array of peripheral devices means that including such input validation schemes is unavoidable. In this thesis we present Automatic Validation of Input Data (AVID), which helps solve the issue of input validation within kernels by automatically generating parser implementations for developer-defined structs. AVID leverages not only the unambiguity guarantees of parsing expression grammars but also the type safety guarantees of Rust. We show how AVID can be used to resolve a manufactured vulnerability in Tock, an operating system written in Rust for embedded systems. Using Rust’s procedural macro system, AVID generates parser implementations at compile time based on existing Rust struct definitions. AVID exposes a simple and convenient parser API that is able to validate input and then instantiate structs from the validated input. AVID's simple interface makes it easy for developers to use and to integrate with existing codebases.
Summary
Accepting input from the outside world is one of the most dangerous things a system can do. Since type information is lost across system boundaries, systems must perform type-specific input handling routines to recover this information. Adversaries can carefully craft input data to exploit any bugs or vulnerabilities in these...
READ MORE
Security and performance analysis of custom memory allocators
January 1, 2019
Thesis
Published in:
Thesis (M.E.)--Massachusetts Institute of Technology, 2019.
Topic:
R&D group:
Summary
Computer programmers use custom memory allocators as an alternative to built-in or general-purpose memory allocators with the intent to improve performance and minimize human error. However, it is difficult to achieve both memory safety and performance gains on custom memory allocators. In this thesis, we study the relationship between memory safety and custom allocators. We analyze three popular servers, Apache, Nginx, and Appweb, and show that while the performance benefits might exist in the unprotected version of the server, as soon as partial or full memory safety is enforced, the picture becomes much more complex. Based on the target, using a custom memory allocator might be faster, about the same, or slower than the system memory allocator. Another caveat is that custom memory allocation can only be protected partially (at the allocation granularity) without manual modification. In addition, custom memory allocators may also introduce additional vulnerabilities to an application (e.g., OpenSSL Heartbleed). We thus conclude that using custom memory allocators is very nuanced, and that the challenges they pose may outweigh the small performance gains in the unprotected mode in many cases. Our findings suggest that developers must carefully consider the trade-offs and caveats of using a custom memory allocator before deploying it in their project.
Summary
Computer programmers use custom memory allocators as an alternative to built-in or general-purpose memory allocators with the intent to improve performance and minimize human error. However, it is difficult to achieve both memory safety and performance gains on custom memory allocators. In this thesis, we study the relationship between memory...
READ MORE
Rulemaking for insider threat mitigation
January 1, 2019
Book Chapter
Published in:
Chapter 12, Cyber Resilience of Systems and Networks, 2019, pp. 265-86.
Topic:
R&D group:
Summary
This chapter continues the topic we started to discuss in the previous chapter – the human factors. However, it focuses on a specific method of enhancing cyber resilience via establishing appropriate rules for employees of an organization under consideration. Such rules aim at reducing threats from, for example, current or former employees, contractors, and business partners who intentionally use their authorized access to an organization to harm the organization. System users can also unintentionally contribute to cyber-attacks, or themselves become a passive target of a cyber-attack. The implementation of work-related rules is intended to decrease such risks. However, rules implementation can also increase the risks that arise from employee disregard for rules. This can occur when the rules become too restrictive, and employees become more likely to disregard the rules. Furthermore, the more often employees disregard the rules both intentionally and unintentionally, the more likely insider threats are able to observe and mimic employee behavior. This chapter shows how to find an intermediate, optimal collection of rules between the two extremes of "too many rules" and "not enough rules."
Summary
This chapter continues the topic we started to discuss in the previous chapter – the human factors. However, it focuses on a specific method of enhancing cyber resilience via establishing appropriate rules for employees of an organization under consideration. Such rules aim at reducing threats from, for example, current or...
READ MORE
Leveraging Intel SGX technology to protect security-sensitive applications
November 1, 2018
Conference Paper
Published in:
17th IEEE Int. Symp. on Network Computing and Applications, NCA, 1-3 November 2018.
Topic:
R&D area:
R&D group:
Summary
This paper explains the process by which Intel Software Guard Extensions (SGX) can be leveraged into an existing codebase to protect a security-sensitive application. Intel SGX provides user-level applications with hardware-enforced confidentiality and integrity protections and incurs manageable impact on performance. These protections apply to all three phases of the operational data lifecycle: at rest, in use, and in transit. SGX shrinks the trusted computing base (and therefore the attack surface) of the application to only the hardware on the CPU chip and the portion of the application's software that is executed within the protected enclave. The SDK enables SGX integration into existing C/C++ codebases while still ensuring program support for legacy and non-Intel platforms. This paper is the first published work to walk through the step-by-step process of Intel SGX integration with examples and performance results from an actual cryptographic application produced in a standard Linux development environment.
Summary
This paper explains the process by which Intel Software Guard Extensions (SGX) can be leveraged into an existing codebase to protect a security-sensitive application. Intel SGX provides user-level applications with hardware-enforced confidentiality and integrity protections and incurs manageable impact on performance. These protections apply to all three phases of the...
READ MORE
OS independent and hardware-assisted insider threat detection and prevention framework
October 29, 2018
Conference Paper
Published in:
MILCOM, 29-31 October 2018.
Topic:
R&D area:
R&D group:
Summary
Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source of information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious attackers through social attacks is the most impactful one. Malicious insiders or uneducated employees are dangerous for organizations that they are already behind the perimeter protections that guard the digital assets; actually, they are trojans on their own. For an insider, the easiest possible way for creating a hole in security is using the popular and ubiquitous Universal Serial Bus (USB) devices due to its versatile and easy to use plug-and-play nature. USB type storage devices are the biggest threats for contaminating mission critical infrastructure with viruses, malware, and trojans. USB human interface devices are also dangerous as they may connect to a host with destructive hidden functionalities. In this paper, we propose a novel hardware-assisted insider threat detection and prevention framework for the USB case. Our novel framework is also OS independent. We implemented a proof-of-concept design on an FPGA board which is widely used in military settings supporting critical missions, and demonstrated the results considering different experiments. Based on the results of these experiments, we show that our framework can identify rapid-keyboard key-stroke attacks and can easily detect the functionality of the USB device plugged in. We present the resource consumption of our framework on the FPGA for its utilization on a host controller device. We show that our hard-to-tamper framework introduces no overhead in USB communication in terms of user experience.
Summary
Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source of information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious...
READ MORE
Designing secure and resilient embedded avionics systems
September 30, 2018
Conference Paper
Published in:
IEEE Cybersecurity Development Conf., 30 September - October 2, 2018.
Topic:
R&D area:
R&D group:
Summary
With an increased reliance on Unmanned Aerial Systems (UAS) as mission assets and the dependency of UAS on cyber resources, cyber security of UAS must be improved by adopting sound security principles and relevant technologies from the computing community. On the other hand, the traditional avionics community, being aware of the importance of cyber security, is looking at new architecture and designs that can accommodate both the safety oriented principles as well as the cyber security principles and techniques. The Air Force Research Laboratories (AFRL) Information Directorate has created the Agile Resilient Embedded System (ARES) program to investigate mitigations that offer a method to "design-in" cyber protections while maintaining mission assurance. ARES specifically seeks to 'build security in' for unmanned aerial vehicles incorporating security and hardening best practices, while inserting resilience as a system attribute to maintain a level of system operation despite successful exploitation of residual vulnerabilities.
Summary
With an increased reliance on Unmanned Aerial Systems (UAS) as mission assets and the dependency of UAS on cyber resources, cyber security of UAS must be improved by adopting sound security principles and relevant technologies from the computing community. On the other hand, the traditional avionics community, being aware of...
READ MORE
Don't even ask: database access control through query control
September 1, 2018
Journal Article
Published in:
SIGMOD Record, Vol. 47, No. 3, September 2018, pp. 17-22.
Summary
This paper presents a vision and description for query control, which is a paradigm for database access control. In this model, individual queries are examined before being executed and are either allowed or denied by a pre-defined policy. Traditional view-based database access control requires the enforcer to view the query, the records, or both. That may present difficulty when the enforcer is not allowed to view database contents or the query itself. This discussion of query control arises from our experience with privacy-preserving encrypted databases, in which no single entity learns both the query and the database contents. Query control is also a good fit for enforcing rules and regulations that are not well-addressed by view-based access control. With the rise of federated database management systems, we believe that new approaches to access control will be increasingly important.
Summary
This paper presents a vision and description for query control, which is a paradigm for database access control. In this model, individual queries are examined before being executed and are either allowed or denied by a pre-defined policy. Traditional view-based database access control requires the enforcer to view the query...
READ MORE
Adversarial co-evolution of attack and defense in a segmented computer network environment
July 15, 2018
Conference Paper
Published in:
Proc. Genetic and Evolutionary Computation Conf. Companion, GECCO 2018, 15-19 July 2018, pp. 1648-1655.
Summary
In computer security, guidance is slim on how to prioritize or configure the many available defensive measures, when guidance is available at all. We show how a competitive co-evolutionary algorithm framework can identify defensive configurations that are effective against a range of attackers. We consider network segmentation, a widely recommended defensive strategy, deployed against the threat of serial network security attacks that delay the mission of the network's operator. We employ a simulation model to investigate the effectiveness over time of different defensive strategies against different attack strategies. For a set of four network topologies, we generate strong availability attack patterns that were not identified a priori. Then, by combining the simulation with a coevolutionary algorithm to explore the adversaries' action spaces, we identify effective configurations that minimize mission delay when facing the attacks. The novel application of co-evolutionary computation to enterprise network security represents a step toward course-of-action determination that is robust to responses by intelligent adversaries.
Summary
In computer security, guidance is slim on how to prioritize or configure the many available defensive measures, when guidance is available at all. We show how a competitive co-evolutionary algorithm framework can identify defensive configurations that are effective against a range of attackers. We consider network segmentation, a widely recommended...
READ MORE
Improving security at the system-call boundary in a type-safe operating system
January 1, 2018
Thesis
Published in:
Thesis (M.E.)--Massachusetts Institute of Technology, 2018.
Topic:
R&D group:
Summary
Historically, most approaches to operating sytems security aim to either protect the kernel (e.g., the MMU) or protect user applications (e.g., W exclusive or X). However, little study has been done into protecting the boundary between these layers. We describe a vulnerability in Tock, a type-safe operating system, at the system-call boundary. We then introduce a technique for providing memory safety at the boundary between userland and the kernel in Tock. We demonstrate that this technique works to prevent against the aforementioned vulnerability and a class of similar vulnerabilities, and we propose how it might be used to protect against simliar vulnerabilities in other operating systems.
Summary
Historically, most approaches to operating sytems security aim to either protect the kernel (e.g., the MMU) or protect user applications (e.g., W exclusive or X). However, little study has been done into protecting the boundary between these layers. We describe a vulnerability in Tock, a type-safe operating system, at the...
READ MORE