Cloud Security

The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud Security
Giovanni Mazzeo
Università degli Studi di Napoli «Parthenope»

Roadmap
 The importance of cloud technology
 Cloud concepts and delivery models
 Cloud pillars
 Advantages and disadvantages of cloud technology
 Security risks in the cloud environment
 The malicious insider threat
 Current approaches for protecting from malicious insiders
 Case studies:
o The SERECA project: cloudifying Critical Applications
o The KONFIDO project: protecting clinical data

The growth of Cloud Computing
 Compound Annual Growth Rate (CAGR) of cloud services

Spending in Cloud Infrastructures
 Billions of dollars spent by companies in cloud infrastructures

Defining the Cloud
 The National Institute of Standards and Technology (NIST)
provides the following definition:
Cloud computing is a model for enabling convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned
and released with minimal management effort or service
provider interaction
The cloud model increases availability and is composed of
five essential characteristics, three service models, and four
deployment models.

Cloud Characteristics - 1/2
1. On-demand self-service – A consumer can unilaterally
provision computing capabilities, such as server time and
network storage, as needed automatically without requiring
human interaction with each service provider
2. Broad network access – Capabilities are available over
the network and accessed through standard mechanisms
that promote use by heterogeneous thin or thick client
platforms (e.g., mobile phones, laptops, and PDAs)

Cloud Characteristics - 2/2
3. Resource pooling – The provider’s computing resources
are pooled to serve multiple consumers using a multi-
tenant model, with different physical and virtual resources
dynamically assigned and reassigned according to
consumer demand
4. Rapid elasticity – Capabilities can be rapidly and
elastically provisioned, in some cases automatically, to
quickly scale out and rapidly released to quickly scale in
5. Measured Service – Cloud systems automatically control
and optimize resource use by leveraging a metering
capability at some level of abstraction appropriate to the
type of service (e.g., storage, processing, bandwidth, and
active user accounts)

Cloud Service Models
 The type of cloud offerings (or service models) varies depending
on the number of hardware and software layers managed by the
provider
 Each service model targets a different user, also called tenant
 Generally, the cloud market proposes three solutions:
• e.g.: Google Docs, Office365, Dropbox, Apple iCloud
Software as a Service (SaaS) – Target: App Users
• e.g.: RedHat OpenShift, Force.com, Google App engine
Plaform as a Service (PaaS) – Target: App Developers
• e.g.: Amazon AWS EC2, Microsoft Azure, Google Cloud
Infrastructure as a Service (IaaS) – Target: System Admin

Examples of cloud service offerings

On Premises

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Software as a Service (SaaS)

Example:
 In 2008 Netflix decided to migrate to the IaaS Amazon AWS
 Why?
o An unexpected peak of requests overloaded the servers with a
consequent service degradation
o The company faced a failure of their database that made the service
unavailable for two days
 The cloud was seen as the solution:
o They do not have to manage IT systems (i.e. server installation,
maintenance, software updates, refrigeration system set up, etc.)
o They do not care if a peak of requests arrive, as the cloud scalability
ensures that automatically other servers are launched
o Even if one or more nodes fail, the service is always available

Cloud enabling technology
 The key enabling technology of the cloud is virtualization
 Virtualization means simulating the hardware platform, the operating
system, storage devices, and network resources
 Virtualization increases resources usage efficiency

Virtualization Concepts
 The virtualization of machines to be offered to Cloud
customers is made possible by the Hypervisor
 This is a software layer that lays between the hardware and
OSes and provides an interface to share the available
resources to virtual machines
 The Hypervisor is the unit that assigns, in different time
slices, hardware resources to VMs

Hypervisor
 Two types of hypervisor:
o Bare-metal – There is no Host OS, i.e., the hypervisor
runs directly on top of the hardware
o Hosted – The hypervisor is hosted in a host OS

Container-based Virtualization
 In the last 5-10 years a new form of virtualization gained
ground in cloud environments: containers
 These are an OS-level virtualization method for running
multiple isolated environments within a single host
 Containers do not need a Hypervisor layer
 Advantages of containers with respect to VMs are:
o Faster startup
o Less resource consumption
o Cheaper
o Easier to deploy

Container-based Virtualization
 In the last 5-10 years a new form of virtualization gained
ground in cloud environments: Containers
 These are an OS-level virtualization method for running
multiple isolated environments within a single host
 Containers do not need a Hypervisor
 Advantages of containers with respect to VMs are:
o Less startup time
o Less resource consumption
o Less expensive
o Easy to deploy

Reference Architecture
 The cloud reference architecture is composed of three main
parts:
o Supporting (IT) infrastructure: These are facilities and
services common to any IT service, cloud or otherwise.
o Cloud-specific infrastructure: These components constitute
the heart of a cloud service; cloud-specific functionalities are
typically mapped to these components.
o Cloud service consumer: The cloud service is exposed to
final consumers (e.g. for example a web server client) through
this layer

Reference Architecture
User
Front End
Network
Cloud (Web) Applications
Cloud Software Environment
Kernel
Hardware
Facilities
Provider
ServicesandAPIs
ManagementAccess
IAAAMechanisms
Computational
Resources Storage
Communica
tion
Supporting IT Infrastructure
Cloud-specific Infrastructure
Service consumer

Cloud Advantages
Cloud
Advantages
Main-
tainability
Security
Cost
Efficiency
Flexibility
Scalability
Reliability

Cloud Disadvantages
Cloud
Disadvantages
Lock-In
Security
Internet-
dependency
Lack of
Control
Reliability

Security increase brought by the Cloud
 Cloud technology provides protection from some types of
attacks that are easy to realize on locally managed
systems, since it ensures:
o Higher Physical Security. Cloud vendors often host their
systems in facilities that have much stronger physical security
controls against external intruders
o Advanced detection and prevention mechanisms for Denial
of Service at the network level
o More frequent Security Patching and System Updates that
prevent viruses or worms from exploiting software bugs
o Multi-factor authentication which is much more secure than
the more traditional user name and password authentication

Example: DDoS (Inbound)
 Attackers are often interested in putting a system (e.g. a web server)
out of service through Distributed Denial of Service (DDoS) attacks
 Hackers produce massive number
of requests to the target through
distributed nodes, also called
Botnets (a group of computers
which have been infected by
malware and have come under the
control of the malicious actor)
 CPs enforce advanced mechanisms
that prevent malevolent network
inbound traffic to reach tenants’ VMs
 These mechs are rarely performed
on locally managed systems

Example: Ransomware (WannaCry)
 A ransomware is a virus which infects a computer and freezes
the machine and the files on it. It encrypts data and requests
money
 The most recent (2017) ransomware was WannaCry, that
infected more than 400k Windows machines
o Note  The patch for the exploited vulnerability was available
59 days prior to the attack
 Companies/people did not update their IT systems (i.e. the OS)
 The adoption of cloud ensures that systems are always up
to date and patched
 Attacks like WannaCry - or more in general a high
percentage of viruses - would not have been possible

Security decrease brought by the Cloud
 Outsourced company systems and services are exposed to a
number of confidentiality and integrity risks
 Some attacks have ancient origins, others leverage typical
cloud features
 The Cloud Security Alliance (CSA) identified the following top
threats:
o Account/Service Hijacking
o Shared Technology Vulnerabilities
o DDoS/DoS at application layer
o Extrusion Attacks
o Malicious Insiders

Account/Service Hijacking
 Cloud account hijacking is a process in which an individual or
organization’s cloud account is stolen or hijacked by an attacker
 The attacker uses the stolen account information to conduct
unauthorized or malicious activity
 For example, an attacker having access to the cloud virtual machine
hosting a business website can include malicious code into the web
page to attack users visiting the web page
 This is also known as the watering hole attack.
 Because the data is stored and accessed on devices and resources
often shared among multiple users, the risks of cloud account hijacking
are plentiful
 Company integrity and reputation can be destroyed, and confidential
data can be leaked or falsified causing significant cost to enterprises
and/or customers

Shared Technologies Vulnerabilities – 1/2
 CPs support multiple tenants which share the underlying
infrastructure
 Virtualization provides multi-tenancy through the sharing of
hardware resources like CPU cores, high level cache, storage
devices and network interface cards among different tenants
 The Hypervisor is responsible for the isolation between VMs
 If compromised, an attacker could get access to, e.g., sensitive
data or cryptographic keys
 The category of attacks that leverage channels created through
shared hardware usually goes under name Cross-VM side-
channel

Shared Technologies Vulnerabilities – 2/2
 Cross-VM side channel attacks are a very sophisticated
attack
 In cases where shared hardware resources exist, the side
channel attack exploits information obtained from the usage
of Central Processing Unit (CPU) core and/or high level
Cache Memory
 Cache-based side channel attacks
examples are:
o Spectre/Meltdown (the most
recent)
o Prime+Probe
o Flush+Reload

Example: Spectre/Meltdown
 In 2018 a group of researchers revealed one of the most
impressive vulnerabilities that affects nearly every computer chip
manufactured in the last 20 years, namely: Spectre and Meltdown
 Intel, AMD, and ARM processors are vulnerable to these attacks
 The two names represent different variants of the same
technique
 They exploit the speculative execution of modern processors.
This is an optimization technique where a computer
system performs some task that may not be needed.
 The bug in the speculative execution allows to get access to
protected sections of cache memory
 Solutions were proposed, but currently such solutions
(dramatically) decrease performance of applications

DDoS/DoS – 1/2
 While some forms of DDoS/DoS are more difficult - or almost
impossible - in the Cloud (e.g. network-based DoS/DDoS),
others are feasible
 In particular, Application-based DoS is possible
 A sophisticated Layer 7 DDoS attack may target specific areas
of a website hosted in a cloud VM, since it would be virtually
impossible to separate malicious from normal traffic
 The attacker could make the service unavailable through the
Web site using for example:
o Buffer Overflows
o Malformed Data
o SQL Injection

DDoS/DoS – 2/2
 Also, attackers could implement an account lockout
 A simple technique is multiple login attempts, since an
common security control - especially for authentication with
username and password - is to lock out accounts that have
received several unsuccessful authentication attempts in a
short time interval
 Attackers can use this technique to launch DoS attacks
against a specific user

Extrusion Attacks
 The cloud platform may also become a means through which an
attack can be launched
 This is due to the Ease of Use characteristicof cloud technology
 Cloud services can easily be used by malicious attackers, since
the typical registration process is very simple, and all is needed
is a valid credit card
 In some cases it is possible to pay with PayPal, Western Union,
Payza, Bitcoin, or Litecoin, i.e., the registration can be totally
anonymous
 As an example, cloud nodes may be used to realize a DDoS
(Outbound) attack
 That is, cloud nodes are used as Botnets for launching a DDoS

The Malicious Insider Threat
 Employees working for the cloud service provider can have
complete access (both physical and logical) to company
resources
 Insider threats to cloud security are underestimated
 Most employees are trustworthy, but a rogue cloud provider
employee has privileges that an outside cyber attacker would
have to work much harder to acquire
 The security of data at rest is not an issue, but malicious insiders
can access the physical memory of servers to easily steal data of
a VM without the need of performing complicated side-channel
attacks
 Currently, this is considered the most worrisome threat

Protection from Insiders and Side-Channel
 Two technologies seem the most promising for countering
attacks coming both malicious insiders or exploiting side-
channel vulnerabilities, namely:
o Homomorphic Encryption
o Trusted Execution Environment

Homomorphic Encryption
 Standard cryptography requires that data is decrypted before
working on it
 In the cloud, it is desirable to work on sensitive data without
decrypting it first
 Homomorphic Encryption (HE) is a form of encryption that allows
computation on ciphertexts, generating an encrypted result
which, when decrypted, matches the result of the operations as if
they had been performed on the plaintext
 With HE, a cloud tenant may:
1. Encrypt data before sending it to the Cloud
2. Keep it always encrypted in the Cloud, even during computations
3. Decrypt results only when is received back in local computers

Limitations of Homomorphic Encryption
 Spatial Overhead
o The cipher text of HE schemes becomes extremely large. With good
levels of security: 1 bit  1 Kb of encrypted text
o Hence, with HE, requirements in terms of bandwidth and data
storage increase with a 103 factor
 Temporal Overhead
o The performance of HE computations are low
o Quite often, HE does not meet execution time requirements

Trusted Execution Environment
 Another possibility to face malicious insiders is by executing
sensitive computations within Trusted Execution Environments
(TEE)
 A TEE is a secure area that resides in the hardware of specific
processors, which is accessible only by the application owner
 Separated by hardware from the main operating system, a TEE
ensures the secure storage and processing of sensitive data
 Particularly, TEEs can be used to:
o Execute protected computations
o Harden encryption keys of data stored in the cloud,
o Perform sensitive operations like encryption/decryption functions
o Enable secure boot of systems

Trusted Execution Environment

TEE Implementations
 Two implementations of TEE are the most accepted:
o ARM TrustZone
o Intel Software Guard eXtension (SGX)
 ARM TrustZone was designed to ensure security in digital
electronic devices (e.g., smartphones)
 It is based on two
different modes of
operation (Secure
World and Normal
World) that allows a
process to access
protected areas of
memory and
protected peripherals

Intel SGX – 1/2
• Intel SGX  An extension to Intel’s CPU ISA that allows user-
level code to allocate private regions of memory, called Secure
Enclaves
• Secure enclaves  Address regions protected (with encryption
and hashing) from anything outside the enclave, including
privileged software
 SGX=Reverse Sandbox
• With SGX, the process memory never leaves the CPU package
unencrypted
• The boundary between trusted and untrusted worlds is defined
through the enclave interface which is monitored by the CPU
• Code outside/inside the enclave access the trusted/untrusted
world through ECALLS/OCALLS

Intel SGX – 2/2

Intel SGX Remote Attestation – 1/2
• The idea of attestation is to prove – via a third remote entity – the
goodness of a software running in a specific enclave
• The enclave must convince the other enclave – with which it is
communicating – that it has a valid measurement hash, is
running in a secure environment and has not been tampered
• SGX provides Local and Remote attestation capabilities:
• Local attestation allows one enclave to attest its TCB to
another enclave on the same platform (uses a symmetric
key system)
• Remote attestation allows which one enclave to attest its
TCB to another entity outside of the platform (uses an
asymmetric key system)

Intel SGX Remote Attestation – 2/2
• The remote attestation service builds a secure channel between
two enclaves residing in different hosts by performing a Diffie-
Hellman key exchange
• The verification is accomplished through the Intel Attestation
Server. This maintains a database of keys generated and fused
during manufacturing in each SGX-enabled CPU
• The mutual verification is performed using this processor key,
which is accessible only by a special enclave known as Quoting
Enclave

Intel SGX Drawbacks
• SGX provides strong security, but…
1. It impacts performance: the execution time suffers from
context switches between enclave and non-enclave
application sections
2. It has limited physical memory to store the Enclave
Page Cache (EPC), i.e., the data structure containing the
protected code and data. Process Reserved Memory
(PRM) limited to 128MB
3. It does not allow ring0 instructions within the enclave.
That is, system calls cannot be executed
• On the Linux OS, the memory size limit can be extended (via
software with paging) up to 4GB, but this has a very high cost a
in terms of performance

 SERECA is a H2020 European project belonging to the call:
o ICT-07-2014 - Advanced Cloud Infrastructures and Services
 A Mixture of Academic and Industrial Partners Involved:
o Technische Universität Dresden (TUD)
o Technische Universität Braunschweig (TUB)
o Imperial College London (IMP)
o Cloud&Heat Technologies (CHT)
o Epsilon S.r.l. (EPS)
o Red Hat
o jClarity
o EIPLI
 Website: www.serecaproject.eu
The SERECA Project

• Identified Problem: usable size of enclaves is limited
• How to reduce fraction of code running inside of
enclaves?
• Solution: Use a Microservice Application Pattern
• Microservices are a popular solution to build scalable
and resilient applications
• Each microservice is a lightweight unit of software in
charge of a particular function
• Microservices became popular since their characteristics
perfectly match with Cloud platforms
• Nowadays, this framework is the standard-de-facto for
developing cloud applications
Integrate SGX within Microservice Applications

• Identified Problem: usable size of enclaves is limited
• How to reduce fraction of code running inside of
enclaves?
• Solution: Use a Microservice Application Pattern
• Microservices are a popular solution to build scalable
and resilient applications
• Each microservice is a lightweight unit of software in
charge of a particular function
• Microservices became popular since their characteristics
perfectly match with Cloud platforms
Integrate SGX within Microservice Applications

 Vert.X was the chosen microservice framework to extend
 Vert.x is a polyglot, event-driven framework for reactive
microservice applications
 Vert.X is adopted by several companies for their cloud
software
The Chosen Microservice Framework
Micro-service
Vert.X
Event Bus
 In Vert.X, microservices
exchange messages
through an EventBus
that ensures
asynchronous message
patterns
 Vert.x makes the life of
cloud developers much
easier!

• One important SERECA Use Case in SERECA was:
• A monitoring application for an Italian Water
Supply Network
• Reason: promote the adoption of cloud computing
in the Critical Infrastructure domain to better
manage Big Data
• Goal: Enabling secure data computation and
storage into the cloud leveraging the SERECA cloud
platform
The Critical Infrastructure Use Case

The Dam Use Case using SERECA
Data Collector
Verticle
c
Dam
Sensors
Measurements
Publish
Vert.x
EventBus
Modbus
Vert.x
SGX
SGX
SGX
SGX
SGX

The main issue
Vert.X is written in Java. So, it runs on top of a Java Virtual
Machine (JVM)
Intel SGX, instead, allows to build enclaves written in C/C++ ,
does not allow system calls, and has limited memory

Solutions Investigated SERECA
 In SERECA three different solutions were investigated to
harden with SGX microservices and supporting facilities
(e.g. databases)
o Approach 1 – SGX-JVM - A transparent SGX support
by running a lightweight JVM into SGX enclaves
o Approach 2 – SCONE – A transparent SGX support by
executing software in SGX-enabled containers, built with
SGX-extended libc libraries
o Approach 3 - SGX-JNI bridge – A non-transparent
SGX support for small sensitive pieces of code running
in a Java Virtual Machine

Approach 1 – Running a JVM into SGX
 Running a JVM inside an SGX enclave is non-trivial and an
unusual move.
 Normally you’d try to minimise the TCB inside an enclave, to reduce
the risk of it being hacked.
Good
• Having a JVM running in an
enclave would enable an easy
integration of SGX within Vert.x
• Easy porting of already existent
Java code
• Easier to write new Java code
Bad
• Porting the Hotspot JVM would
be really difficult. The Hotspot
JVM is a beast!!!
• A lightweight JVM (e.g. JamVM)
may be a solution but…
• Performances of lightweight
JVMs are bad!
The TCB size dramatically grows

Web Server Performance of lightweight JVM
0 500 1000 1500 2000 2500 3000
Concurrent Requests
0
200
400
600
800
1000
1200
Time(ms)
Vert.X HTTP Server Latency
HotSpot JVM
JamVM
0 500 1000 1500 2000 2500 3000
Concurrent Requests
0
1
2
3
4
5
6
7
8
kReq/s
Vert.X HTTP Server Throughput
HotSpot JVM
JamVM
 We compared the performance of a Vert.x HTTP web server
running on a hotspot JVM and on a lightweight JVM (JamVM).
As evidenced, the overhead is extremely large

Approach 2 – SCONE
 Extend libc library with SGX and compile containers with
this extended library
 Run the Java software within the secure container
Good
• The effort of migrating software
in the container is low
• The TCB is smaller than
Approach 1
Bad
• Performances are better than
Approach 1 but still not very
good

Approach 2 – SCONE
 Applications/microservices are
executed in protected
containers
 Applications transparently use:
o Shielded system calls which
are executed asynchronously
in a SGX enclave
o Shielded network interface
that protects network
functionalities with SGX
o Shielded file system calls that
encrypts data in SGX before
leaving in the file system

Approach 3 – Using a SGX-JNI Bridge
• A different solution consists in keep writing enclave code
in C/C++ and then realize ECALLs from Java through a
JNI bridge
Good
• Performance are better than
Approach 1 and 2
• The TCB size of the enclave is
kept really small
Bad
• The integration of SGX within
Vert.X becomes more difficult
• Need to re-write sensitive parts
of Vert.x microservices in
C/C++

SERECA Final Architecture
SERECA
Application
Framework
SecureKeeper
Docker Container
Secure Verticle
Trusted
Bridge
Untrusted
Vert.x
TLS
Docker Container
Vert.x
Secure
Verticles
Secure
Verticles
SGX-LKL
TLS
Docker Container
Secure Verticle
Trusted
Bridge
Untrusted
Vert.x
TLS
Docker Container
SCONE
Secure
Mongo
TLS
Docker Container
SCONE
Secure
MySQL
TLS
Legend:
TLS terminated
socket
Secure Event Bus
SGX Enclave
SecureKeeper
JNI Bridge
TLS
Vert.x
SGX-LKL
SCONE
RH
TU
TU
IMP
TU
Cloud MaaSIntel SGX CH
Docker Container
Secure Verticle
Trusted
Bridge
Untrusted
Vert.x
SCONE
SCONESCONE

The KONFIDO Project
 Call: H2020-DS-2016-2017 (Digital Security Focus Area)
 Topic: DS-03-2016 - Increasing digital security of health
related data on a systemic level
o “Proposals would provide a holistic approach to address
challenges of secure storage and exchange (including cross-
border) of data, protection and control over personal data,
and security of health related data gathered by mobile
devices combined with the usability of the eHealth solutions.”
 Type of action: RIA (Research and Innovation action)
 Start date: November 1st, 2016
 Duration: 36 months

Partners
 Exus Software Ltd (UK) – Industry
 Ethniko Kentro Erevnas Kai Technologikis Anaptyxis –
Certh (GR) – Research Organization
 Consorzio Interuniversitario Nazionale per L'informatica (IT)
– Research Organization
 Fundacio Eurecat (ES) – Research Organization
 Consorci Institut D'investigacions Biomediques August Pi I
Sunyer (ES) – Research Organization
 Commissariat a L’energie Atomique at Aux Energies
Alternatives – Cea (FR) – Public Body
 Medcom (DN) – Public Body

KONFIDO Goals
 The KONFIDO project aims at provide Secure Cross-Border
eHealth Data Exchange in EU
 Electronic health services are growing rapidly and there is high
standard heterogeneity at both EU and National levels on
Electronic Health Records (EHR)
CEN-EN 13606
ISO TC215
openEHR
ISO 22220
ISO 13606
ISO/TS
18308:2004
SPC
SPICCA
…

The KONFIDO Approach
 KONFIDO aims at creating a scalable and holistic paradigm for
secure inner and cross-border exchange, storage and overall
handling of healthcare data in a legal and ethical way both at
national and European level.
 In order to achieve this objective, the following six technological
pillars will be exploited:
o Security Information and Event Management (SIEM)
o Physical Unclonable Function (PUF)-based cryptography
o Homomorphic encryption
o STORK-compliant eID
o Intel Software Guard Extensions (SGX)
o Authentication and logging mechanisms à la block-chain

KONFIDO Architecture

OpenNCP
 The OpenNCP framework offers a comprehensive set of
interoperability services to enable national and regional e-
Health platforms to set up cross-border health information
networks with minimal adaptation of the existing
infrastructure.
 The OpenNCP, available as open source software, has
been adopted in 10 Member States, allowing them to
interconnect their eHealth infrastructures.
 The National Contact Point (NCP) is the fulcrum of cross
border interoperability, exploiting the role of connecting the
Participating Nation (PN) to the European Level
environment.
 The National Contact Point can be deployed in local
infrastructures or in cloud environments

NCP concept
HCP= HealthCare Provider

KONFIDO and openNCP (1/2)
 KONFIDO does not extend OpenNCP with additional
features. Rather, it enhances OpenNCP by securely
connecting it to the KONFIDO platform.
 By doing so, the information systems of individual
countries can interoperate in a secure way.
 KONFIDO ensures data security at different
architectural levels, and in particular: presentation,
processing, dissemination, and storage.

http://www.fitnesslab.eu/ 70
• The NCP host is the place where most critical
operations take place
• A Patient Summary (PS) needs to be Transformed
when crosses countries’ borders
• This operation occurs within the NCP host in clear
• Besides the NCP, another node is involved in the
transformation process: the Terminology Server
managed by the Terminology Service Access
Manager (TSAM)
• The TSAM keeps correspondences of: i) origin country
language codes, ii) epSOS codes, iii) destination
country codes
Patient Summary Transformation – 1/2

• The transformation of PS consists in:
• Transcoding – the modification of the original
document in a pivot OpenNCP-specific format
• Translating – the conversion of the pivoted document
in the country’s destination language
Patient Summary Transformation – 2/2

OpenNCP PS Transformation – 2/2
NCP-B
NCP-A
NI-A
NI-B
2-Verify
Authenticity of
HCP
3-Send
Request
4-Verify
Authenticity
of NCP-A
5-Send
Request National PS
Infrastructure
6-Encrypt and
Return PS
1-Ask for PS
HCP
10-Decrypt
PS
11-Translate
PS
12-Encrypt
and return
PS
7-Decrypt
PS
8-Transcode
PS
9-Encrypt
and send
PS

• During the transformation, the PS is exposed to
confidentiality and integrity attacks on:
• Data-in-use – Attackers escalating privileges may,
e.g., easily dump the memory of the NCP node and
hack the PS
• Data-in-transit – Data exchanged between NCPs
can be attacked. It is needed a mechanism that
keeps trust between NCPs
Security risks for OpenNCP Transformation

• Two components of OpenNCP have been made
SGX-enabled to protect data-in-use. These are:
• Transformation-Manager (TM) – in charge of
document (e.g. PS) schema verification,
translation, and transcoding.
• Security-Manager (SM) – in charge of security-
related operations like signature verification, etc.
• The idea is to decrypt/encrypt a PS within the enclave
and shield the document processing with SGX
Protecting Data-in-Use – 1/2

• Data exchanged between NCPs is protected through
encryption
• NCP enclaves establish a remote attested communication
that gives guarantees on the chain-of-trust
• OpenNCP Protocol Terminators modules are extended to
support remote attestation and SGX terminated SSL
connections
Protecting Data-in-Transit

Giovanni Mazzeo
e-mail: giovanni.mazzeo@uniparthenope.it
Cell: +39-334-3119910
Contact Info
The Fault and Intrusion Tolerant NEtworked SystemS
(FITNESS)
Research Group

Cloud Security

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Cloud Security

Semelhante a Cloud Security (20)

Último

Último (20)

Cloud Security

Notas do Editor