Ludovic Jacquin, Hewlett Packard Labs (HPE).

ETSI Security Week, Hot Topics in Middlebox SecuritySophia Antipolis, France, 12 June 2018

Attestation of SHIELD's network infrastructure and middleboxes.

SHIELD’s mission & concept

Attestation in SHIELD's network and middleboxes. 2

SHIELD aims to deliver an open solution for dynamically establishing and deploying virtual Security

infrastructures in ISPs and corporate networks.

Big Data Analytics

Trusted Computing

Network Functions

Virtualisation

The SHIELD key components

3Attestation in SHIELD's network and middleboxes.

Service Catalogueand Front-End

vNSFs

DARE

vNSFO

• The middlebox alone cannot be verified, evaluated.– The state is remotely controlled by the orchestration.

• How to verify if a middlebox is working as intended?– Securely– Automatically

• Trusted Computing technologies and mechanisms!

The virtualisation and data/control separation gap

Attestation in SHIELD's network and middleboxes. 4

• Security chip/co-processor widely deployed.– Shielded execution of standardized commands.– Private keys never leave the chip (configurable).

• Enabler for high-level security features:

Trusted Platform Module (TPM) primer

Attestation in SHIELD's network and middleboxes. 5

BootROM(CRTM)

BIOS/UEFI

OS

App. Conf.

Load

Load

Load

Measure

Measure

Measure

Store in PCR0

Pro

tect Log w

ith P

CR

10

b83fac83fb9286

a34fc80fde83f1

a82057ac840d83f9392c876d55a8[…]

Store

in Log

f1d

e32

11

ff00

25

Measured boot

RemoteVerifier

1: Challenge (nonce)

2: Signed measurements

3: Validate signature and check measurements

PCR0: b83fac83fb9286PCR1: a34fc80fde83f1[…]PCR10: f1de3211ff0025

TPMID

Platform

21

3

Remote Attestation

The Trust Monitor

6

TRUSTED INFRASTRUCTURE

The trustworthiness of the SHIELD framework is implemented by relying on Trusted Computing technologies. The infrastructure attestation binds the vNSFs and the network configuration with the store and orchestration of the network.

The key components of the SHIELD framework are protected using Trusted Platform Modules (TPM), assuring the integrity of the software and the configuration.

KEY TECHNOLOGIES

Attestation in SHIELD's network and middleboxes.

Trust Monitor

Service Catalogue

and Front-End

vNSFs

DARE

vNSFO

SHIELD architecture

Attestation in SHIELD's network and middleboxes. 7

Enrollment of middleboxes

Attestation in SHIELD's network and middleboxes. 8

• Update of the Trust Monitor with new vNSF version.

• Verification of new middlebox before admission in the network.

Monitoring of the middleboxes

Attestation in SHIELD's network and middleboxes. 9

• Continual verification of the middleboxes of the network.

Key project milestones

Attestation in SHIELD's network and middleboxes. 10

Prototype of the SHIELD system (alpha

version):

September 2017

Open-source release of the SHIELD system

(beta version):

September 2018

System tested & validated – Final

release:

February 2019

• Detection of rogue SDN controller

• Detection of incorrect SDN rules

• Can handle 10k OpenFlow rules– Bottleneck between SDN controller & Trust Monitor

• Gap: no common (SDN controller-switch) identifier for rules

• Around 2 to 3 seconds RTT– 600ms for the TPM signature itself

SDN switches attestation

Attestation in SHIELD's network and middleboxes. 11

• Boot-time integrity verification of the servers firmware– Via Measured Boot for TPM 1.2

• Run-time integrity verification of binaries and configuration files in servers and middleboxes– Based on the Linux Integrity Measurement Architecture (IMA) kernel

module + custom Linux kernel– Tailored for the Docker lightweight virtualisation environment

• Automated generation/update of whitelist database– Including reference measurements from software repositories (limited

to CentOS Linux distribution)

Servers and middleboxes attestation (1/2)

Attestation in SHIELD's network and middleboxes. 12

• Takes around 5 to 6 seconds RTT w/ verification via whitelist database (up to 128 active containers)– Hard limit caused by the TPM signature over the integrity report

(around 2 seconds) + generation time of the integrity report– The verification process has a smaller influence on the overall time

• The total average time grows linearly with the number of active containers

• Gap: missing integration with NFV Virtual Infrastructure Manager

Servers and middleboxes attestation (2/2)

Attestation in SHIELD's network and middleboxes. 13

• Include recommended remediation– Exclude node, update configuration, reconfigure OpenFlow rules

• Whitelist nodes allowed to communicate with vNSFO– Based on being verified by the Trust Monitor

• Integration with the other components

Next steps

Attestation in SHIELD's network and middleboxes. 14

Follow us!

Attestation in SHIELD's network and middleboxes. 15

https://www.shield-h2020.eu/

@shield_h2020

SHIELD EU Project

info@shield-h2020.eu

SHIELD has received financial support from the European Commissionunder Grant Agreement No. 700199