SlideShare uma empresa Scribd logo

Infrastructure Resilience against Attacks and Faults

Diego Kreutz
Diego Kreutz

Infrastructure Resilience against Attacks and Faults

Tecnologia
1 de 20
Baixar para ler offline
WP5  –  INFRASTRUCTURE  RESILIENCE   AGAINST  ATTACKS  AND  FAULTS   Diego  Kreutz  (FFCUL)     (joint  work:  FFCUL,  TUM,  UFAM  and  UFSC)     SECFUNET  Final  Meeting   Brussels,  11th  June  2014   SECFUNET – Security for Future Networks
 FP7-ICT-2011-EU-Brazil – STREP number 288349"
Objectives  (1/2)   ! 2! Network Access Service! Network Operating System Management Applications Network! ControlPlane! Network Data Plane! FITS uses: §  RADIUS for VMs AA §  OpenID for user AA §  OpenFlow controller
Objectives  (2/2)   ! 3! Virtual Network 2! Virtual Network 3! Physical Infrastructure! Virtual Network 1! VerticalandHorizontal! Control,Managementand! MonitoringSystems! Assure& Monitor& Config& Assure& Monitor& Config&
State  of  Affairs  (OpenID  &  RADIUS)   (current  scenario  and  our  goal)   ! 4! Fault  tolerance   Level  of  trust   C1   C2   C3   C4   C6   C5  
Use  cases:  OpenID  &  RADIUS   ! 5!
Functional  Model   Ø  Service-­‐oriented  architecture  of  components   ! 6! Client / Secure Component! AAI Replicas! (mfR + 1)! Service / Application / Device! (fS + 1)! Gateway! (AAI front-end)! (fG + 1)! AAI Secure ! Components (mfR + 1)! Alternative Path! Default Path! AAI Resilient Infra!
Functional  Model   Ø  Fault  detection  mechanisms   ! 7! ClientCw! Back-end! ServiceBz! Target ServiceIx! Service GatewayGy! Timeout A! Timeout B! Corrupted response ! from replica Tx! Corrupted response ! from replica Gy! Byzantine behavior! from replica Bz! Timeout C (e.g., OpenID)!
Towards  Intrusion  Tolerance   1.  BFT  tools/protocols   –  BFT-­‐SMaRt  (FCUL)   –  IT-­‐VM  (UFSC)   2.  Additional  mechanisms:   –  Diversity   –  Proactive-­‐reactive  recovery   3.  Confidentiality:  a  limitation  of  BFT  systems   –  Specific  components  are  required  to  ensure   this  property   ! 8!
Diversity  in  the  OpenID  prototype   ! 9! VM1! Gateway 1! VM1! OpenID BFT R1! VM2! Gateway 2! Pair-wised TCP/IP Communications! VMn! Gateway N!…" Hypervisor! ! Secure Element! V"V"V" Reliable Communication Channels! VM2! OpenID BFT R1! Hypervisor! ! Secure Element! VM3! OpenID BFT R1! Hypervisor! ! Secure Element! VM4! OpenID BFT R1! Hypervisor! ! Secure Element!
A  Trusted  Component  for  RADIUS  &  OpenID   ! 10! TC# PuCA# KNAS# PrS# KUser# ID# USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! TLS# EAP# RADIUS# Required methods:! 1.  HMAC! 2.  VerifySignRSA! 3.  SymmCipher! 4.  GenConfidential! 5.  SignRSA! 6.  GenAssocia;on# 7.  GenNonce# BFT?SMaRT# Authentication Service Replica! KAssoc# OpenID# HTTP/HTTPS#
Trusted  Components   ! 11! A trusted/secure component can be “any” device capable of ensuring ! the data and operation confidentiality of the target system/environment.! Smart Cards! Tamper Resistant a FPGA! A Shielded! Computer! Virtual TPM! (e.g. vTPM)! Secure Hypervisor (e.g. sHyper)! Intel TXT & GSX AMD SVM, …!
Deployment  trade-­‐offs   ! 12!
OpenID:  performance   ! 13! Average Latency: 78.360ms! Average Latency: 87.343ms! Average Latency: 32.103ms!
OpenID:  the  impact  of  faults  &  attacks   ! 14! Type of execution/fault/attack 20 clients 40 clients Fault-free execution 867.73 984.59 Constantly crashing OpenID reps 1009.86 1145.98 Attacking OpenID replicas (DoS) 956.46 1005.54 Constantly crashing OpenID gws 633.44 718.75
! 15! Remarks   (prototypes  &  evaluations  &  proposals)   VirtualMachineMonitor! Agreement Service! Authentication Server! Share Memory! VM1! IdP Proxy! VM2! IdP Proxy! API! Trusted Computing ! Base (TCB)! R-­‐OpenID-­‐PR   R-­‐OpenID-­‐VR  R-­‐RADIUS   Resilient   Mon  Infra   Fault-­‐tolerant   OF-­‐C   RT   Kerberos  v5  
! 16! Remarks   (linking  our  tools  to  the  FITS  arch)   End user Physical Network Virtual Network
! 17! Remarks  (on-­‐going/future  work)   Cloud-­‐of-­‐Clouds  Security  Services  (e.g.,  IdPaaS)  
! 18! Remarks  (on-­‐going/future  work)   Cloud-­‐of-­‐Clouds  Security  Services  (e.g.,  IdPaaS)  
! 19! Diffusion   0! 2! 4! 6! 8! 10! CORE A*! CORE A! CORE B! OTHER! Numberofpubs/work! Venue Rank! 4 2 7 9
0! 5! 10! 15! 20! 25! 30! 35! 40! Presential! Online! Tech/Other! Numberofmeetings! Type of meeting! 6 34 ~30 ! 20! Meetings,  on-­‐demand  tech  mini-­‐confs,  etc.   (challenge:  technology  transfer  &  tech  sync)  

Recomendados

Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2
SalmenHAJJI1
 
Network security over ethernet
Network security over ethernetNetwork security over ethernet
Network security over ethernet
Syed Ubaid Ali Jafri
 
Nexus DataCenter Switch の概要 (2014/8/06 webcast)
Nexus DataCenter Switch の概要 (2014/8/06 webcast)Nexus DataCenter Switch の概要 (2014/8/06 webcast)
Nexus DataCenter Switch の概要 (2014/8/06 webcast)
Yuichi Ito
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
How to build Big Brother
How to build Big BrotherHow to build Big Brother
How to build Big Brother
Payment Village
 
Access point
Access pointAccess point
Access point
alina castro
 
SDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunitiesSDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunities
Diego Kreutz
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 

Recomendados

Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2
SalmenHAJJI1
 
Network security over ethernet
Network security over ethernetNetwork security over ethernet
Network security over ethernet
Syed Ubaid Ali Jafri
 
Nexus DataCenter Switch の概要 (2014/8/06 webcast)
Nexus DataCenter Switch の概要 (2014/8/06 webcast)Nexus DataCenter Switch の概要 (2014/8/06 webcast)
Nexus DataCenter Switch の概要 (2014/8/06 webcast)
Yuichi Ito
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
How to build Big Brother
How to build Big BrotherHow to build Big Brother
How to build Big Brother
Payment Village
 
Access point
Access pointAccess point
Access point
alina castro
 
SDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunitiesSDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunities
Diego Kreutz
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Diego Kreutz
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
Brain IoT Project
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Disha Bedi
 
Resume_01
Resume_01Resume_01
Resume_01
Srinivasa Rao Veeravalli
 
Madness of the Clouds
Madness of the CloudsMadness of the Clouds
Madness of the Clouds
gazdagf
 
VPN in Virtualized DataCenter
VPN in Virtualized DataCenterVPN in Virtualized DataCenter
VPN in Virtualized DataCenter
Jang Group of Companies
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
Yasin KAPLAN
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
Yasin KAPLAN
 
People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013
Eurotech
 
Open Network Edge Services Software for 5G and Edge
Open Network Edge Services Software for 5G and EdgeOpen Network Edge Services Software for 5G and Edge
Open Network Edge Services Software for 5G and Edge
Liz Warner
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo Catalogue
PERCo
 
cFrame framework slides
cFrame framework slidescFrame framework slides
cFrame framework slides
kestasj
 
Avionics Test Station Setup
Avionics Test Station Setup Avionics Test Station Setup
Avionics Test Station Setup
Vijayananda Mohire
 
Free OpManager training_Part 1- Discovery & classification
Free OpManager training_Part 1- Discovery & classificationFree OpManager training_Part 1- Discovery & classification
Free OpManager training_Part 1- Discovery & classification
ManageEngine, Zoho Corporation
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice Suite
Men and Mice
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsJava in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
Eurotech
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Mais conteúdo relacionado

Semelhante a Infrastructure Resilience against Attacks and Faults

Semelhante a Infrastructure Resilience against Attacks and Faults (20)

Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
 
Resume_01
Resume_01Resume_01
Resume_01
 
Madness of the Clouds
Madness of the CloudsMadness of the Clouds
Madness of the Clouds
 
VPN in Virtualized DataCenter
VPN in Virtualized DataCenterVPN in Virtualized DataCenter
VPN in Virtualized DataCenter
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
 
People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013People Counting: Internet of Things in Motion at JavaOne 2013
People Counting: Internet of Things in Motion at JavaOne 2013
 
Open Network Edge Services Software for 5G and Edge
Open Network Edge Services Software for 5G and EdgeOpen Network Edge Services Software for 5G and Edge
Open Network Edge Services Software for 5G and Edge
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo Catalogue
 
cFrame framework slides
cFrame framework slidescFrame framework slides
cFrame framework slides
 
Avionics Test Station Setup
Avionics Test Station Setup Avionics Test Station Setup
Avionics Test Station Setup
 
Free OpManager training_Part 1- Discovery & classification
Free OpManager training_Part 1- Discovery & classificationFree OpManager training_Part 1- Discovery & classification
Free OpManager training_Part 1- Discovery & classification
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice Suite
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsJava in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Infrastructure Resilience against Attacks and Faults

  • 1. WP5  –  INFRASTRUCTURE  RESILIENCE   AGAINST  ATTACKS  AND  FAULTS   Diego  Kreutz  (FFCUL)     (joint  work:  FFCUL,  TUM,  UFAM  and  UFSC)     SECFUNET  Final  Meeting   Brussels,  11th  June  2014   SECFUNET – Security for Future Networks
 FP7-ICT-2011-EU-Brazil – STREP number 288349"
  • 2. Objectives  (1/2)   ! 2! Network Access Service! Network Operating System Management Applications Network! ControlPlane! Network Data Plane! FITS uses: §  RADIUS for VMs AA §  OpenID for user AA §  OpenFlow controller
  • 3. Objectives  (2/2)   ! 3! Virtual Network 2! Virtual Network 3! Physical Infrastructure! Virtual Network 1! VerticalandHorizontal! Control,Managementand! MonitoringSystems! Assure& Monitor& Config& Assure& Monitor& Config&
  • 4. State  of  Affairs  (OpenID  &  RADIUS)   (current  scenario  and  our  goal)   ! 4! Fault  tolerance   Level  of  trust   C1   C2   C3   C4   C6   C5  
  • 5. Use  cases:  OpenID  &  RADIUS   ! 5!
  • 6. Functional  Model   Ø  Service-­‐oriented  architecture  of  components   ! 6! Client / Secure Component! AAI Replicas! (mfR + 1)! Service / Application / Device! (fS + 1)! Gateway! (AAI front-end)! (fG + 1)! AAI Secure ! Components (mfR + 1)! Alternative Path! Default Path! AAI Resilient Infra!
  • 7. Functional  Model   Ø  Fault  detection  mechanisms   ! 7! ClientCw! Back-end! ServiceBz! Target ServiceIx! Service GatewayGy! Timeout A! Timeout B! Corrupted response ! from replica Tx! Corrupted response ! from replica Gy! Byzantine behavior! from replica Bz! Timeout C (e.g., OpenID)!
  • 8. Towards  Intrusion  Tolerance   1.  BFT  tools/protocols   –  BFT-­‐SMaRt  (FCUL)   –  IT-­‐VM  (UFSC)   2.  Additional  mechanisms:   –  Diversity   –  Proactive-­‐reactive  recovery   3.  Confidentiality:  a  limitation  of  BFT  systems   –  Specific  components  are  required  to  ensure   this  property   ! 8!
  • 9. Diversity  in  the  OpenID  prototype   ! 9! VM1! Gateway 1! VM1! OpenID BFT R1! VM2! Gateway 2! Pair-wised TCP/IP Communications! VMn! Gateway N!…" Hypervisor! ! Secure Element! V"V"V" Reliable Communication Channels! VM2! OpenID BFT R1! Hypervisor! ! Secure Element! VM3! OpenID BFT R1! Hypervisor! ! Secure Element! VM4! OpenID BFT R1! Hypervisor! ! Secure Element!
  • 10. A  Trusted  Component  for  RADIUS  &  OpenID   ! 10! TC# PuCA# KNAS# PrS# KUser# ID# USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! TLS# EAP# RADIUS# Required methods:! 1.  HMAC! 2.  VerifySignRSA! 3.  SymmCipher! 4.  GenConfidential! 5.  SignRSA! 6.  GenAssocia;on# 7.  GenNonce# BFT?SMaRT# Authentication Service Replica! KAssoc# OpenID# HTTP/HTTPS#
  • 11. Trusted  Components   ! 11! A trusted/secure component can be “any” device capable of ensuring ! the data and operation confidentiality of the target system/environment.! Smart Cards! Tamper Resistant a FPGA! A Shielded! Computer! Virtual TPM! (e.g. vTPM)! Secure Hypervisor (e.g. sHyper)! Intel TXT & GSX AMD SVM, …!
  • 13. OpenID:  performance   ! 13! Average Latency: 78.360ms! Average Latency: 87.343ms! Average Latency: 32.103ms!
  • 14. OpenID:  the  impact  of  faults  &  attacks   ! 14! Type of execution/fault/attack 20 clients 40 clients Fault-free execution 867.73 984.59 Constantly crashing OpenID reps 1009.86 1145.98 Attacking OpenID replicas (DoS) 956.46 1005.54 Constantly crashing OpenID gws 633.44 718.75
  • 15. ! 15! Remarks   (prototypes  &  evaluations  &  proposals)   VirtualMachineMonitor! Agreement Service! Authentication Server! Share Memory! VM1! IdP Proxy! VM2! IdP Proxy! API! Trusted Computing ! Base (TCB)! R-­‐OpenID-­‐PR   R-­‐OpenID-­‐VR  R-­‐RADIUS   Resilient   Mon  Infra   Fault-­‐tolerant   OF-­‐C   RT   Kerberos  v5  
  • 16. ! 16! Remarks   (linking  our  tools  to  the  FITS  arch)   End user Physical Network Virtual Network
  • 17. ! 17! Remarks  (on-­‐going/future  work)   Cloud-­‐of-­‐Clouds  Security  Services  (e.g.,  IdPaaS)  
  • 18. ! 18! Remarks  (on-­‐going/future  work)   Cloud-­‐of-­‐Clouds  Security  Services  (e.g.,  IdPaaS)  
  • 19. ! 19! Diffusion   0! 2! 4! 6! 8! 10! CORE A*! CORE A! CORE B! OTHER! Numberofpubs/work! Venue Rank! 4 2 7 9
  • 20. 0! 5! 10! 15! 20! 25! 30! 35! 40! Presential! Online! Tech/Other! Numberofmeetings! Type of meeting! 6 34 ~30 ! 20! Meetings,  on-­‐demand  tech  mini-­‐confs,  etc.   (challenge:  technology  transfer  &  tech  sync)