cyber security innovation imho v5
DESCRIPTION
Cyber Security Innovation IMHO Version 5TRANSCRIPT
Computer Security Innovation
IMHO
Presented for your consideration by: Fred Seigneur
Copies of the Power Point file are available at:
2014 Cybersecurity Innovation
Forum In January 2014, I attended the 2014
Cybersecurity Innovation Forum, in
Baltimore.
One reason I attended was that I was
impressed with the Forum’s stated vision.
2014 Cybersecurity Innovation
Forum – Background and Vision
In spite of this insightful and accurate assessment that our current approach to
Cybersecurity is unsustainable, and non-scalable, rather little innovation to
“define and embrace a fundamentally different approach to enterprise architecture
security – one that builds security in from the beginning as a robust and solid
foundation upon which to conduct our transactions” was presented.
Foundational Weaknesses
Helms Deep
Photo Source
Foundational Weaknesses
Such weaknesses exist, but are poorly understood and generally ignored
Photo Source
Computer Security - Defense in Depth
Helms Deep had Defense in DepthPhoto Source
Computer Security - Defense in Depth
But, the fatal flaw was in the foundationPhoto Source
The Root(s) of the Problem
Today’s Operating Systems are not secure
and are too complex to secure by retrofit.
Few Operating Systems or Applications
are rugged.
Don’t verify inputs.
Crash leaving attack vectors for malicious
code.
Most current security “solutions” are
“Band-Aid” approaches.
Operating Systems and Applications
Lack a Basic Immune System
Like someone who must be
protected by an external
bubble
What’s wrong with this
picture? David Vetter, a young boy from Texas,
lived his life - in a plastic bubble.
Nicknamed "Bubble Boy," David was born
in 1971 with severe combined
immunodeficiency, and was forced to live in
a specially constructed sterile plastic
bubble from birth until he died at age 12.
(The photo is from a movie based,
inappropriately, on David’s plight.) Photo Source
Foundational Immune System Deficiencies
Two very serious foundational software problems
Operating Systems
Applications Software
Both of these have the same root cause
Software Developers do not write robust code. Why?
They don’t know how
They don’t know why it’s important
They did not learn how, or why it’s so critical
Foundational Immune
Deficiencies (Cont.)
Two very serious foundational educational problems
Software developers have NOT been taught why or how to write robust and defensive code.
Many CS Professors don’t know how to write robust and defensive code, or why it is necessary to teach it.
Long Term Solutions Better Education
Better Computer Security Education
Better CS and Engineering Education
Include Basic Computer Security Education
Thread in Virtually All University/College
Departments
Create Demand for Foundational Security
Solutions
IT Procurement Authorities & Staff
Users
University/College Accreditation Authorities
How Can This be Done?
Some Universities understand these
issues
A few Educational Institutions have
realized that they can differentiate
themselves in the educational market by
implementing steps such as those above.
The Current State of Cyber
Security Practice Patch known holes
Hope we fixed ALL the holes
Small leaks can get bigger and
some still remain undetected
But, then …
It is not IF your dam will break, it’s WHEN
Plan Ahead
Your dam WILL break
Start planning a downstream dam ASAP
Existing components, available today, can be
integrated to create a Secure Computing
InFrastructure (SCIF*)
* SCIF – A compartmentalized infrastructure for
processing sensitive information
Secure Computing Infrastructure (SCIF) The SCIF can be used in an embedded system (such as IoT , Smart
Grid, SDN White Box Switches) or as an SDN Controller and executes
Erlang functions as transactions. One envisioned SCIF application is
as a Secure Network Interface Function (SNIF), which can be used to
authenticate inputs to and outputs from a secure enclave. With two or
more SCIF boards in a system, fault tolerance is supported using
Erlang fault tolerance.
A Trusted SCIF Interactive Development Environment (SIDE) for SCIF
applications, based on SysML and a SCIF Management System (SMS)
for Administration of the SCIF and SNIF are supported via Erlang
running on a virtualized instance of Linux, atop seL4 and will be fault
tolerant, using Erlang's inherent fault tolerance capabilities
The SCIF architecture can be used to host other Linux applications in a
more trusted and fault tolerant environment than with off the shelf
Linux.
Block diagrams for the SCIF hardware and software follow.
Recent Progress The Parallella board seems ideally suited for the SCIF
prototype.
The Erlang Virtual Machine runs on the Adaptiva
Epiphany chip.
The secure seL4 microkernel runs on the ARM Cortex
A9 in the XILINX ZYNQ portion of the Parallella along
with drivers, TCP/IP protocol processing and the
Secure Network Interface Function.
A SCIF is used to
Applications run securely on the Epiphany in Erlang, a
functional programming language that supports soft
real-time, like a Software Defined Networking (SDN)
controller
Photos of Parallella 16 Core BoardTop View
Bottom View
Parallella Cluster
Parallella Architecture
Secure Computing Infrastructure
Software Architecture
User M
od
e P
artitio
ns
Trusted
Device
Drivers
Separation Kernel (seL4)
Hardware w/Trusted Platform Module (TPM)
Kern
el
Mo
de
Trusted
Encryption
Services
Secure
Network
Interface
Function
ARM Cortex A9 on XILIX ZYNQ Adaptiva Epiphany Multi Processor
Erlang
Virtual
Machine
Code
Erlang
Byte
Code
Program 1
Erlang
Byte
Code
Program n
Phased Integration Plan
Phase I - Proof of Concept/Prototype
Demonstration
Phase II - Field Trials
Visit our LinkedIn group, the
Secure Computing Infrastructure Foundation