INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
Cloud Security
1. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud Security
Giovanni Mazzeo
Università degli Studi di Napoli «Parthenope»
2. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Roadmap
The importance of cloud technology
Cloud concepts and delivery models
Cloud pillars
Advantages and disadvantages of cloud technology
Security risks in the cloud environment
The malicious insider threat
Current approaches for protecting from malicious insiders
Case studies:
o The SERECA project: cloudifying Critical Applications
o The KONFIDO project: protecting clinical data
3. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
The growth of Cloud Computing
Compound Annual Growth Rate (CAGR) of cloud services
4. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Spending in Cloud Infrastructures
Billions of dollars spent by companies in cloud infrastructures
5. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Defining the Cloud
The National Institute of Standards and Technology (NIST)
provides the following definition:
Cloud computing is a model for enabling convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned
and released with minimal management effort or service
provider interaction
The cloud model increases availability and is composed of
five essential characteristics, three service models, and four
deployment models.
6. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud Characteristics - 1/2
1. On-demand self-service – A consumer can unilaterally
provision computing capabilities, such as server time and
network storage, as needed automatically without requiring
human interaction with each service provider
2. Broad network access – Capabilities are available over
the network and accessed through standard mechanisms
that promote use by heterogeneous thin or thick client
platforms (e.g., mobile phones, laptops, and PDAs)
7. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud Characteristics - 2/2
3. Resource pooling – The provider’s computing resources
are pooled to serve multiple consumers using a multi-
tenant model, with different physical and virtual resources
dynamically assigned and reassigned according to
consumer demand
4. Rapid elasticity – Capabilities can be rapidly and
elastically provisioned, in some cases automatically, to
quickly scale out and rapidly released to quickly scale in
5. Measured Service – Cloud systems automatically control
and optimize resource use by leveraging a metering
capability at some level of abstraction appropriate to the
type of service (e.g., storage, processing, bandwidth, and
active user accounts)
8. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud Service Models
The type of cloud offerings (or service models) varies depending
on the number of hardware and software layers managed by the
provider
Each service model targets a different user, also called tenant
Generally, the cloud market proposes three solutions:
• e.g.: Google Docs, Office365, Dropbox, Apple iCloud
Software as a Service (SaaS) – Target: App Users
• e.g.: RedHat OpenShift, Force.com, Google App engine
Plaform as a Service (PaaS) – Target: App Developers
• e.g.: Amazon AWS EC2, Microsoft Azure, Google Cloud
Infrastructure as a Service (IaaS) – Target: System Admin
9. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Examples of cloud service offerings
10. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
On Premises
11. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Infrastructure as a Service (IaaS)
12. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Platform as a Service (PaaS)
13. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Software as a Service (SaaS)
14. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Example:
In 2008 Netflix decided to migrate to the IaaS Amazon AWS
Why?
o An unexpected peak of requests overloaded the servers with a
consequent service degradation
o The company faced a failure of their database that made the service
unavailable for two days
The cloud was seen as the solution:
o They do not have to manage IT systems (i.e. server installation,
maintenance, software updates, refrigeration system set up, etc.)
o They do not care if a peak of requests arrive, as the cloud scalability
ensures that automatically other servers are launched
o Even if one or more nodes fail, the service is always available
15. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud enabling technology
The key enabling technology of the cloud is virtualization
Virtualization means simulating the hardware platform, the operating
system, storage devices, and network resources
Virtualization increases resources usage efficiency
16. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Virtualization Concepts
The virtualization of machines to be offered to Cloud
customers is made possible by the Hypervisor
This is a software layer that lays between the hardware and
OSes and provides an interface to share the available
resources to virtual machines
The Hypervisor is the unit that assigns, in different time
slices, hardware resources to VMs
17. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Hypervisor
Two types of hypervisor:
o Bare-metal – There is no Host OS, i.e., the hypervisor
runs directly on top of the hardware
o Hosted – The hypervisor is hosted in a host OS
18. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Container-based Virtualization
In the last 5-10 years a new form of virtualization gained
ground in cloud environments: containers
These are an OS-level virtualization method for running
multiple isolated environments within a single host
Containers do not need a Hypervisor layer
Advantages of containers with respect to VMs are:
o Faster startup
o Less resource consumption
o Cheaper
o Easier to deploy
19. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Container-based Virtualization
In the last 5-10 years a new form of virtualization gained
ground in cloud environments: Containers
These are an OS-level virtualization method for running
multiple isolated environments within a single host
Containers do not need a Hypervisor
Advantages of containers with respect to VMs are:
o Less startup time
o Less resource consumption
o Less expensive
o Easy to deploy
20. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Reference Architecture
The cloud reference architecture is composed of three main
parts:
o Supporting (IT) infrastructure: These are facilities and
services common to any IT service, cloud or otherwise.
o Cloud-specific infrastructure: These components constitute
the heart of a cloud service; cloud-specific functionalities are
typically mapped to these components.
o Cloud service consumer: The cloud service is exposed to
final consumers (e.g. for example a web server client) through
this layer
21. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Reference Architecture
User
Front End
Network
Cloud (Web) Applications
Cloud Software Environment
Kernel
Hardware
Facilities
Provider
ServicesandAPIs
ManagementAccess
IAAAMechanisms
Computational
Resources Storage
Communica
tion
Supporting IT Infrastructure
Cloud-specific Infrastructure
Service consumer
22. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud Advantages
Cloud
Advantages
Main-
tainability
Security
Cost
Efficiency
Flexibility
Scalability
Reliability
23. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Cloud Disadvantages
Cloud
Disadvantages
Lock-In
Security
Internet-
dependency
Lack of
Control
Reliability
24. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Security increase brought by the Cloud
Cloud technology provides protection from some types of
attacks that are easy to realize on locally managed
systems, since it ensures:
o Higher Physical Security. Cloud vendors often host their
systems in facilities that have much stronger physical security
controls against external intruders
o Advanced detection and prevention mechanisms for Denial
of Service at the network level
o More frequent Security Patching and System Updates that
prevent viruses or worms from exploiting software bugs
o Multi-factor authentication which is much more secure than
the more traditional user name and password authentication
25. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Example: DDoS (Inbound)
Attackers are often interested in putting a system (e.g. a web server)
out of service through Distributed Denial of Service (DDoS) attacks
Hackers produce massive number
of requests to the target through
distributed nodes, also called
Botnets (a group of computers
which have been infected by
malware and have come under the
control of the malicious actor)
CPs enforce advanced mechanisms
that prevent malevolent network
inbound traffic to reach tenants’ VMs
These mechs are rarely performed
on locally managed systems
26. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Example: Ransomware (WannaCry)
A ransomware is a virus which infects a computer and freezes
the machine and the files on it. It encrypts data and requests
money
The most recent (2017) ransomware was WannaCry, that
infected more than 400k Windows machines
o Note The patch for the exploited vulnerability was available
59 days prior to the attack
Companies/people did not update their IT systems (i.e. the OS)
The adoption of cloud ensures that systems are always up
to date and patched
Attacks like WannaCry - or more in general a high
percentage of viruses - would not have been possible
27. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Security decrease brought by the Cloud
Outsourced company systems and services are exposed to a
number of confidentiality and integrity risks
Some attacks have ancient origins, others leverage typical
cloud features
The Cloud Security Alliance (CSA) identified the following top
threats:
o Account/Service Hijacking
o Shared Technology Vulnerabilities
o DDoS/DoS at application layer
o Extrusion Attacks
o Malicious Insiders
28. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Account/Service Hijacking
Cloud account hijacking is a process in which an individual or
organization’s cloud account is stolen or hijacked by an attacker
The attacker uses the stolen account information to conduct
unauthorized or malicious activity
For example, an attacker having access to the cloud virtual machine
hosting a business website can include malicious code into the web
page to attack users visiting the web page
This is also known as the watering hole attack.
Because the data is stored and accessed on devices and resources
often shared among multiple users, the risks of cloud account hijacking
are plentiful
Company integrity and reputation can be destroyed, and confidential
data can be leaked or falsified causing significant cost to enterprises
and/or customers
29. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Shared Technologies Vulnerabilities – 1/2
CPs support multiple tenants which share the underlying
infrastructure
Virtualization provides multi-tenancy through the sharing of
hardware resources like CPU cores, high level cache, storage
devices and network interface cards among different tenants
The Hypervisor is responsible for the isolation between VMs
If compromised, an attacker could get access to, e.g., sensitive
data or cryptographic keys
The category of attacks that leverage channels created through
shared hardware usually goes under name Cross-VM side-
channel
30. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Shared Technologies Vulnerabilities – 2/2
Cross-VM side channel attacks are a very sophisticated
attack
In cases where shared hardware resources exist, the side
channel attack exploits information obtained from the usage
of Central Processing Unit (CPU) core and/or high level
Cache Memory
Cache-based side channel attacks
examples are:
o Spectre/Meltdown (the most
recent)
o Prime+Probe
o Flush+Reload
31. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Example: Spectre/Meltdown
In 2018 a group of researchers revealed one of the most
impressive vulnerabilities that affects nearly every computer chip
manufactured in the last 20 years, namely: Spectre and Meltdown
Intel, AMD, and ARM processors are vulnerable to these attacks
The two names represent different variants of the same
technique
They exploit the speculative execution of modern processors.
This is an optimization technique where a computer
system performs some task that may not be needed.
The bug in the speculative execution allows to get access to
protected sections of cache memory
Solutions were proposed, but currently such solutions
(dramatically) decrease performance of applications
32. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
DDoS/DoS – 1/2
While some forms of DDoS/DoS are more difficult - or almost
impossible - in the Cloud (e.g. network-based DoS/DDoS),
others are feasible
In particular, Application-based DoS is possible
A sophisticated Layer 7 DDoS attack may target specific areas
of a website hosted in a cloud VM, since it would be virtually
impossible to separate malicious from normal traffic
The attacker could make the service unavailable through the
Web site using for example:
o Buffer Overflows
o Malformed Data
o SQL Injection
33. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
DDoS/DoS – 2/2
Also, attackers could implement an account lockout
A simple technique is multiple login attempts, since an
common security control - especially for authentication with
username and password - is to lock out accounts that have
received several unsuccessful authentication attempts in a
short time interval
Attackers can use this technique to launch DoS attacks
against a specific user
34. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Extrusion Attacks
The cloud platform may also become a means through which an
attack can be launched
This is due to the Ease of Use characteristicof cloud technology
Cloud services can easily be used by malicious attackers, since
the typical registration process is very simple, and all is needed
is a valid credit card
In some cases it is possible to pay with PayPal, Western Union,
Payza, Bitcoin, or Litecoin, i.e., the registration can be totally
anonymous
As an example, cloud nodes may be used to realize a DDoS
(Outbound) attack
That is, cloud nodes are used as Botnets for launching a DDoS
35. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
The Malicious Insider Threat
Employees working for the cloud service provider can have
complete access (both physical and logical) to company
resources
Insider threats to cloud security are underestimated
Most employees are trustworthy, but a rogue cloud provider
employee has privileges that an outside cyber attacker would
have to work much harder to acquire
The security of data at rest is not an issue, but malicious insiders
can access the physical memory of servers to easily steal data of
a VM without the need of performing complicated side-channel
attacks
Currently, this is considered the most worrisome threat
36. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Protection from Insiders and Side-Channel
Two technologies seem the most promising for countering
attacks coming both malicious insiders or exploiting side-
channel vulnerabilities, namely:
o Homomorphic Encryption
o Trusted Execution Environment
37. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Homomorphic Encryption
Standard cryptography requires that data is decrypted before
working on it
In the cloud, it is desirable to work on sensitive data without
decrypting it first
Homomorphic Encryption (HE) is a form of encryption that allows
computation on ciphertexts, generating an encrypted result
which, when decrypted, matches the result of the operations as if
they had been performed on the plaintext
With HE, a cloud tenant may:
1. Encrypt data before sending it to the Cloud
2. Keep it always encrypted in the Cloud, even during computations
3. Decrypt results only when is received back in local computers
38. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Limitations of Homomorphic Encryption
Spatial Overhead
o The cipher text of HE schemes becomes extremely large. With good
levels of security: 1 bit 1 Kb of encrypted text
o Hence, with HE, requirements in terms of bandwidth and data
storage increase with a 103 factor
Temporal Overhead
o The performance of HE computations are low
o Quite often, HE does not meet execution time requirements
39. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Trusted Execution Environment
Another possibility to face malicious insiders is by executing
sensitive computations within Trusted Execution Environments
(TEE)
A TEE is a secure area that resides in the hardware of specific
processors, which is accessible only by the application owner
Separated by hardware from the main operating system, a TEE
ensures the secure storage and processing of sensitive data
Particularly, TEEs can be used to:
o Execute protected computations
o Harden encryption keys of data stored in the cloud,
o Perform sensitive operations like encryption/decryption functions
o Enable secure boot of systems
40. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Trusted Execution Environment
41. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
TEE Implementations
Two implementations of TEE are the most accepted:
o ARM TrustZone
o Intel Software Guard eXtension (SGX)
ARM TrustZone was designed to ensure security in digital
electronic devices (e.g., smartphones)
It is based on two
different modes of
operation (Secure
World and Normal
World) that allows a
process to access
protected areas of
memory and
protected peripherals
42. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Intel SGX – 1/2
• Intel SGX An extension to Intel’s CPU ISA that allows user-
level code to allocate private regions of memory, called Secure
Enclaves
• Secure enclaves Address regions protected (with encryption
and hashing) from anything outside the enclave, including
privileged software
SGX=Reverse Sandbox
• With SGX, the process memory never leaves the CPU package
unencrypted
• The boundary between trusted and untrusted worlds is defined
through the enclave interface which is monitored by the CPU
• Code outside/inside the enclave access the trusted/untrusted
world through ECALLS/OCALLS
43. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Intel SGX – 2/2
44. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Intel SGX Remote Attestation – 1/2
• The idea of attestation is to prove – via a third remote entity – the
goodness of a software running in a specific enclave
• The enclave must convince the other enclave – with which it is
communicating – that it has a valid measurement hash, is
running in a secure environment and has not been tampered
• SGX provides Local and Remote attestation capabilities:
• Local attestation allows one enclave to attest its TCB to
another enclave on the same platform (uses a symmetric
key system)
• Remote attestation allows which one enclave to attest its
TCB to another entity outside of the platform (uses an
asymmetric key system)
45. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Intel SGX Remote Attestation – 2/2
• The remote attestation service builds a secure channel between
two enclaves residing in different hosts by performing a Diffie-
Hellman key exchange
• The verification is accomplished through the Intel Attestation
Server. This maintains a database of keys generated and fused
during manufacturing in each SGX-enabled CPU
• The mutual verification is performed using this processor key,
which is accessible only by a special enclave known as Quoting
Enclave
46. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Intel SGX Drawbacks
• SGX provides strong security, but…
1. It impacts performance: the execution time suffers from
context switches between enclave and non-enclave
application sections
2. It has limited physical memory to store the Enclave
Page Cache (EPC), i.e., the data structure containing the
protected code and data. Process Reserved Memory
(PRM) limited to 128MB
3. It does not allow ring0 instructions within the enclave.
That is, system calls cannot be executed
• On the Linux OS, the memory size limit can be extended (via
software with paging) up to 4GB, but this has a very high cost a
in terms of performance
47. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
SERECA is a H2020 European project belonging to the call:
o ICT-07-2014 - Advanced Cloud Infrastructures and Services
A Mixture of Academic and Industrial Partners Involved:
o Technische Universität Dresden (TUD)
o Technische Universität Braunschweig (TUB)
o Imperial College London (IMP)
o Cloud&Heat Technologies (CHT)
o Epsilon S.r.l. (EPS)
o Red Hat
o jClarity
o EIPLI
Website: www.serecaproject.eu
The SERECA Project
48. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
• Identified Problem: usable size of enclaves is limited
• How to reduce fraction of code running inside of
enclaves?
• Solution: Use a Microservice Application Pattern
• Microservices are a popular solution to build scalable
and resilient applications
• Each microservice is a lightweight unit of software in
charge of a particular function
• Microservices became popular since their characteristics
perfectly match with Cloud platforms
• Nowadays, this framework is the standard-de-facto for
developing cloud applications
Integrate SGX within Microservice Applications
49. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
• Identified Problem: usable size of enclaves is limited
• How to reduce fraction of code running inside of
enclaves?
• Solution: Use a Microservice Application Pattern
• Microservices are a popular solution to build scalable
and resilient applications
• Each microservice is a lightweight unit of software in
charge of a particular function
• Microservices became popular since their characteristics
perfectly match with Cloud platforms
Integrate SGX within Microservice Applications
50. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Vert.X was the chosen microservice framework to extend
Vert.x is a polyglot, event-driven framework for reactive
microservice applications
Vert.X is adopted by several companies for their cloud
software
The Chosen Microservice Framework
Micro-service
Vert.X
Event Bus
In Vert.X, microservices
exchange messages
through an EventBus
that ensures
asynchronous message
patterns
Vert.x makes the life of
cloud developers much
easier!
51. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Vert.X was the chosen microservice framework to extend
Vert.x is a polyglot, event-driven framework for reactive
microservice applications
Vert.X is adopted by several companies for their cloud
software
The Chosen Microservice Framework
Micro-service
Vert.X
Event Bus
In Vert.X, microservices
exchange messages
through an EventBus
that ensures
asynchronous message
patterns
Vert.x makes the life of
cloud developers much
easier!
52. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
• One important SERECA Use Case in SERECA was:
• A monitoring application for an Italian Water
Supply Network
• Reason: promote the adoption of cloud computing
in the Critical Infrastructure domain to better
manage Big Data
• Goal: Enabling secure data computation and
storage into the cloud leveraging the SERECA cloud
platform
The Critical Infrastructure Use Case
53. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
The Dam Use Case using SERECA
Data Collector
Verticle
c
Dam
Sensors
Measurements
Publish
Vert.x
EventBus
Modbus
Vert.x
SGX
SGX
SGX
SGX
SGX
54. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
The main issue
Vert.X is written in Java. So, it runs on top of a Java Virtual
Machine (JVM)
Intel SGX, instead, allows to build enclaves written in C/C++ ,
does not allow system calls, and has limited memory
55. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Solutions Investigated SERECA
In SERECA three different solutions were investigated to
harden with SGX microservices and supporting facilities
(e.g. databases)
o Approach 1 – SGX-JVM - A transparent SGX support
by running a lightweight JVM into SGX enclaves
o Approach 2 – SCONE – A transparent SGX support by
executing software in SGX-enabled containers, built with
SGX-extended libc libraries
o Approach 3 - SGX-JNI bridge – A non-transparent
SGX support for small sensitive pieces of code running
in a Java Virtual Machine
56. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Approach 1 – Running a JVM into SGX
Running a JVM inside an SGX enclave is non-trivial and an
unusual move.
Normally you’d try to minimise the TCB inside an enclave, to reduce
the risk of it being hacked.
Good
• Having a JVM running in an
enclave would enable an easy
integration of SGX within Vert.x
• Easy porting of already existent
Java code
• Easier to write new Java code
Bad
• Porting the Hotspot JVM would
be really difficult. The Hotspot
JVM is a beast!!!
• A lightweight JVM (e.g. JamVM)
may be a solution but…
• Performances of lightweight
JVMs are bad!
The TCB size dramatically grows
57. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Web Server Performance of lightweight JVM
0 500 1000 1500 2000 2500 3000
Concurrent Requests
0
200
400
600
800
1000
1200
Time(ms)
Vert.X HTTP Server Latency
HotSpot JVM
JamVM
0 500 1000 1500 2000 2500 3000
Concurrent Requests
0
1
2
3
4
5
6
7
8
kReq/s
Vert.X HTTP Server Throughput
HotSpot JVM
JamVM
We compared the performance of a Vert.x HTTP web server
running on a hotspot JVM and on a lightweight JVM (JamVM).
As evidenced, the overhead is extremely large
58. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Approach 2 – SCONE
Extend libc library with SGX and compile containers with
this extended library
Run the Java software within the secure container
Good
• The effort of migrating software
in the container is low
• The TCB is smaller than
Approach 1
Bad
• Performances are better than
Approach 1 but still not very
good
59. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Approach 2 – SCONE
Applications/microservices are
executed in protected
containers
Applications transparently use:
o Shielded system calls which
are executed asynchronously
in a SGX enclave
o Shielded network interface
that protects network
functionalities with SGX
o Shielded file system calls that
encrypts data in SGX before
leaving in the file system
60. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Approach 3 – Using a SGX-JNI Bridge
• A different solution consists in keep writing enclave code
in C/C++ and then realize ECALLs from Java through a
JNI bridge
Good
• Performance are better than
Approach 1 and 2
• The TCB size of the enclave is
kept really small
Bad
• The integration of SGX within
Vert.X becomes more difficult
• Need to re-write sensitive parts
of Vert.x microservices in
C/C++
61. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
SERECA Final Architecture
SERECA
Application
Framework
SecureKeeper
Docker Container
Secure Verticle
Trusted
Bridge
Untrusted
Vert.x
TLS
Docker Container
Vert.x
Secure
Verticles
Secure
Verticles
SGX-LKL
TLS
Docker Container
Secure Verticle
Trusted
Bridge
Untrusted
Vert.x
TLS
Docker Container
SCONE
Secure
Mongo
TLS
Docker Container
SCONE
Secure
MySQL
TLS
Legend:
TLS terminated
socket
Secure Event Bus
SGX Enclave
SecureKeeper
JNI Bridge
TLS
Vert.x
SGX-LKL
SCONE
RH
TU
TU
IMP
TU
Cloud MaaSIntel SGX CH
Docker Container
Secure Verticle
Trusted
Bridge
Untrusted
Vert.x
SCONE
SCONESCONE
62. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
The KONFIDO Project
Call: H2020-DS-2016-2017 (Digital Security Focus Area)
Topic: DS-03-2016 - Increasing digital security of health
related data on a systemic level
o “Proposals would provide a holistic approach to address
challenges of secure storage and exchange (including cross-
border) of data, protection and control over personal data,
and security of health related data gathered by mobile
devices combined with the usability of the eHealth solutions.”
Type of action: RIA (Research and Innovation action)
Start date: November 1st, 2016
Duration: 36 months
63. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Partners
Exus Software Ltd (UK) – Industry
Ethniko Kentro Erevnas Kai Technologikis Anaptyxis –
Certh (GR) – Research Organization
Consorzio Interuniversitario Nazionale per L'informatica (IT)
– Research Organization
Fundacio Eurecat (ES) – Research Organization
Consorci Institut D'investigacions Biomediques August Pi I
Sunyer (ES) – Research Organization
Commissariat a L’energie Atomique at Aux Energies
Alternatives – Cea (FR) – Public Body
Medcom (DN) – Public Body
64. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
KONFIDO Goals
The KONFIDO project aims at provide Secure Cross-Border
eHealth Data Exchange in EU
Electronic health services are growing rapidly and there is high
standard heterogeneity at both EU and National levels on
Electronic Health Records (EHR)
CEN-EN 13606
ISO TC215
openEHR
ISO 22220
ISO 13606
ISO/TS
18308:2004
SPC
SPICCA
…
65. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
The KONFIDO Approach
KONFIDO aims at creating a scalable and holistic paradigm for
secure inner and cross-border exchange, storage and overall
handling of healthcare data in a legal and ethical way both at
national and European level.
In order to achieve this objective, the following six technological
pillars will be exploited:
o Security Information and Event Management (SIEM)
o Physical Unclonable Function (PUF)-based cryptography
o Homomorphic encryption
o STORK-compliant eID
o Intel Software Guard Extensions (SGX)
o Authentication and logging mechanisms à la block-chain
66. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
KONFIDO Architecture
67. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
OpenNCP
The OpenNCP framework offers a comprehensive set of
interoperability services to enable national and regional e-
Health platforms to set up cross-border health information
networks with minimal adaptation of the existing
infrastructure.
The OpenNCP, available as open source software, has
been adopted in 10 Member States, allowing them to
interconnect their eHealth infrastructures.
The National Contact Point (NCP) is the fulcrum of cross
border interoperability, exploiting the role of connecting the
Participating Nation (PN) to the European Level
environment.
The National Contact Point can be deployed in local
infrastructures or in cloud environments
68. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
NCP concept
HCP= HealthCare Provider
69. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
KONFIDO and openNCP (1/2)
KONFIDO does not extend OpenNCP with additional
features. Rather, it enhances OpenNCP by securely
connecting it to the KONFIDO platform.
By doing so, the information systems of individual
countries can interoperate in a secure way.
KONFIDO ensures data security at different
architectural levels, and in particular: presentation,
processing, dissemination, and storage.
70. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/ 70
• The NCP host is the place where most critical
operations take place
• A Patient Summary (PS) needs to be Transformed
when crosses countries’ borders
• This operation occurs within the NCP host in clear
• Besides the NCP, another node is involved in the
transformation process: the Terminology Server
managed by the Terminology Service Access
Manager (TSAM)
• The TSAM keeps correspondences of: i) origin country
language codes, ii) epSOS codes, iii) destination
country codes
Patient Summary Transformation – 1/2
71. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/ 71
• The transformation of PS consists in:
• Transcoding – the modification of the original
document in a pivot OpenNCP-specific format
• Translating – the conversion of the pivoted document
in the country’s destination language
Patient Summary Transformation – 2/2
72. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/ 72
OpenNCP PS Transformation – 2/2
NCP-B
NCP-A
NI-A
NI-B
2-Verify
Authenticity of
HCP
3-Send
Request
4-Verify
Authenticity
of NCP-A
5-Send
Request National PS
Infrastructure
6-Encrypt and
Return PS
1-Ask for PS
HCP
10-Decrypt
PS
11-Translate
PS
12-Encrypt
and return
PS
7-Decrypt
PS
8-Transcode
PS
9-Encrypt
and send
PS
73. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/ 73
• During the transformation, the PS is exposed to
confidentiality and integrity attacks on:
• Data-in-use – Attackers escalating privileges may,
e.g., easily dump the memory of the NCP node and
hack the PS
• Data-in-transit – Data exchanged between NCPs
can be attacked. It is needed a mechanism that
keeps trust between NCPs
Security risks for OpenNCP Transformation
74. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/ 74
• Two components of OpenNCP have been made
SGX-enabled to protect data-in-use. These are:
• Transformation-Manager (TM) – in charge of
document (e.g. PS) schema verification,
translation, and transcoding.
• Security-Manager (SM) – in charge of security-
related operations like signature verification, etc.
• The idea is to decrypt/encrypt a PS within the enclave
and shield the document processing with SGX
Protecting Data-in-Use – 1/2
75. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/ 75
• Data exchanged between NCPs is protected through
encryption
• NCP enclaves establish a remote attested communication
that gives guarantees on the chain-of-trust
• OpenNCP Protocol Terminators modules are extended to
support remote attestation and SGX terminated SSL
connections
Protecting Data-in-Transit
76. The Fault and Intrusion Tolerant NEtworked SystemS (FITNESS) Research Group
http://www.fitnesslab.eu/
Giovanni Mazzeo
e-mail: giovanni.mazzeo@uniparthenope.it
Cell: +39-334-3119910
Contact Info
The Fault and Intrusion Tolerant NEtworked SystemS
(FITNESS)
Research Group
http://www.fitnesslab.eu/
Notas do Editor
Supplier lock-in is a situation in which a customer using a product or service cannot easily transition to a competitor.
Figure 1 depicts the transformation process. A specific code (from the Danish procedure code table) maps to an OpenNCP code. In this case, all codes from KCJ to KCJB99 map to the same one in the Master Value sets Catalogue (MVC). Then the transcoded term is sent to the other side where it gets translated in the destination language (Swedish in this example).