276 research outputs found

    Secure storage systems for untrusted cloud environments

    Get PDF
    The cloud has become established for applications that need to be scalable and highly available. However, moving data to data centers owned and operated by a third party, i.e., the cloud provider, raises security concerns because a cloud provider could easily access and manipulate the data or program flow, preventing the cloud from being used for certain applications, like medical or financial. Hardware vendors are addressing these concerns by developing Trusted Execution Environments (TEEs) that make the CPU state and parts of memory inaccessible from the host software. While TEEs protect the current execution state, they do not provide security guarantees for data which does not fit nor reside in the protected memory area, like network and persistent storage. In this work, we aim to address TEEs’ limitations in three different ways, first we provide the trust of TEEs to persistent storage, second we extend the trust to multiple nodes in a network, and third we propose a compiler-based solution for accessing heterogeneous memory regions. More specifically, • SPEICHER extends the trust provided by TEEs to persistent storage. SPEICHER implements a key-value interface. Its design is based on LSM data structures, but extends them to provide confidentiality, integrity, and freshness for the stored data. Thus, SPEICHER can prove to the client that the data has not been tampered with by an attacker. • AVOCADO is a distributed in-memory key-value store (KVS) that extends the trust that TEEs provide across the network to multiple nodes, allowing KVSs to scale beyond the boundaries of a single node. On each node, AVOCADO carefully divides data between trusted memory and untrusted host memory, to maximize the amount of data that can be stored on each node. AVOCADO leverages the fact that we can model network attacks as crash-faults to trust other nodes with a hardened ABD replication protocol. • TOAST is based on the observation that modern high-performance systems often use several different heterogeneous memory regions that are not easily distinguishable by the programmer. The number of regions is increased by the fact that TEEs divide memory into trusted and untrusted regions. TOAST is a compiler-based approach to unify access to different heterogeneous memory regions and provides programmability and portability. TOAST uses a load/store interface to abstract most library interfaces for different memory regions

    The Role of a Microservice Architecture on cybersecurity and operational resilience in critical systems

    Get PDF
    Critical systems are characterized by their high degree of intolerance to threats, in other words, their high level of resilience, because depending on the context in which the system is inserted, the slightest failure could imply significant damage, whether in economic terms, or loss of reputation, of information, of infrastructure, of the environment, or human life. The security of such systems is traditionally associated with legacy infrastructures and data centers that are monolithic, which translates into increasingly high evolution and protection challenges. In the current context of rapid transformation where the variety of threats to systems has been consistently increasing, this dissertation aims to carry out a compatibility study of the microservice architecture, which is denoted by its characteristics such as resilience, scalability, modifiability and technological heterogeneity, being flexible in structural adaptations, and in rapidly evolving and highly complex settings, making it suited for agile environments. It also explores what response artificial intelligence, more specifically machine learning, can provide in a context of security and monitorability when combined with a simple banking system that adopts the microservice architecture.Os sistemas críticos são caracterizados pelo seu elevado grau de intolerância às ameaças, por outras palavras, o seu alto nível de resiliência, pois dependendo do contexto onde se insere o sistema, a mínima falha poderá implicar danos significativos, seja em termos económicos, de perda de reputação, de informação, de infraestrutura, de ambiente, ou de vida humana. A segurança informática de tais sistemas está tradicionalmente associada a infraestruturas e data centers legacy, ou seja, de natureza monolítica, o que se traduz em desafios de evolução e proteção cada vez mais elevados. No contexto atual de rápida transformação, onde as variedades de ameaças aos sistemas têm vindo consistentemente a aumentar, esta dissertação visa realizar um estudo de compatibilidade da arquitetura de microserviços, que se denota pelas suas caraterísticas tais como a resiliência, escalabilidade, modificabilidade e heterogeneidade tecnológica, sendo flexível em adaptações estruturais, e em cenários de rápida evolução e elevada complexidade, tornando-a adequada a ambientes ágeis. Explora também a resposta que a inteligência artificial, mais concretamente, machine learning, pode dar num contexto de segurança e monitorabilidade quando combinado com um simples sistema bancário que adota uma arquitetura de microserviços

    Uma arquitetura de alta disponibilidade para funções e serviços virtualizados de rede

    Get PDF
    Orientador: Elias P. Duarte Jr.Tese (doutorado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 10/02/2023Inclui referênciasÁrea de concentração: Ciência da ComputaçãoResumo: A virtualizacao vem revolucionando a forma como as redes sao construidas e gerenciadas, permitindo a sua evolucao para multiplas direcoes. A Virtualizacao de Funcoes de Rede (Network Function Virtualization - NFV) pode gerar mudancas significativas na rede, uma vez que funcoes de rede tradicionalmente implementadas em hardware dedicado podem ser substituidas por software, denominadas de Funcoes Virtualizadas de Rede (Virtualized Network Functions - VNFs). Apesar das vantagens, alguns desafios ainda devem ser explorados para permitir a sua ampla adocao. As contribuicoes propostas nesta Tese de Doutorado sao divididas em tres partes. A primeira parte explora o fato de que servicos virtualizados possuem maior susceptibilidade a falhas do que as suas alternativas em hardware dedicado. Tendo em vista que as redes se tornaram extremamente necessarias, e essencial garantir a execucao correta e continua dos servicos. A primeira contribuicao propoe uma arquitetura NFV de alta disponibilidade para servicos de rede. A arquitetura realiza o gerenciamento de falhas, oferecendo multiplas estrategias de recuperacao, alem de preservar o estado das VNFs atraves de tecnicas de Checkpoint/Restore. Um prototipo da arquitetura foi implementado e resultados experimentais mostram que e possivel atingir niveis de disponibilidade similares aos de sistemas comerciais de telecomunicacoes. A segunda parte desta Tese analisa a susceptibilidade a falhas de servicos sob outra perspectiva. Considerando que tais servicos sao geralmente executados sobre uma arquitetura subjacente, a falha em algum componente desta arquitetura pode afetar toda a infraestrutura, impedindo o acesso ou possibilitando o uso nao autorizado do sistema. A segunda contribuicao propoe a FIT-SFC (Fault- & Intrusion- Tolerant SFC): uma arquitetura para suportar servicos virtuais seguros e altamente disponiveis. A FIT-SFC e baseada em tecnicas de replicacao para tolerar falhas por parada, por omissao ou intrusao em qualquer de seus componentes. Um prototipo da arquitetura foi implementado e resultados sao apresentados para os custos para tolerar as falhas. Por fim, a terceira parte desta Tese investiga a possibilidade de utilizar NFV para permitir a execucao de servicos virtualizados dentro da propria rede. No conceito chamado COIN (COmputing In the Network), aplicacoes normalmente executadas pelos proprios usuarios finais passam a ser inteiramente executados nativamente dentro da rede. A terceira contribuicao explora a sinergia entre NFV e COIN, denominada de NFV-COIN. Uma arquitetura e proposta para permitir a oferta e gerenciamento de servicos NFV-COIN, alem de oferecer uma interface alto nivel que permite a manipulacao padronizada dos servicos de rede. Experimentos executados em um prototipo implementado da arquitetura demonstram a possibilidade de oferecer e executar servicos NFV-COIN sem introduzir perdas significativas de desempenho.Abstract: Virtualization has represented a true revolution in the way networks are built and managed, allowing them to evolve along multiple directions. In particular, Network Function Virtualization (NFV) has been causing deep changes, since network functions traditionally implemented as specialized hardware can be replaced by software, called Virtualized Network Functions (VNFs). Despite their many advantages, some challenges still need to be addressed in order to allow its wide adoption. The contributions proposed in this Doctoral Thesis are divided into three parts. The first part explores the fact that virtualized services are more prone to failures than traditional alternatives available as specialized hardware. As networks have become extremely necessary, it is essential to ensure the correct and continuous operation of services. The first contribution proposes a high availability architecture for NFV-based services. The architecture performs fault management, offers multiple recovery strategies, while also preserving the state of VNFs through Checkpoint/Restore techniques. A prototype was implemented and experimental results show that it is possible to reach carrier-grade availability. The second part of this Thesis analyzes the susceptibility of service failures from another perspective. Considering that virtualized services usually run on an underlying architecture, the failure of any component of this architecture could affect the entire infrastructure, restraining access or allowing unauthorized use of the system. Therefore, the second contribution proposes the FIT-SFC (Fault- & Intrusion- Tolerant SFC): an architecture to support secure and highly available virtual services. The FIT-SFC architecture is based on replication techniques to tolerate crash, omission, or intrusion failures in any of its components. A prototype was implemented and results are presented for the costs to tolerate failures. Finally, the third part of this Thesis investigates the possibility of using NFV to allow the execution of virtualized services within the network. In the context of COIN (COmputing In the Network), applications that are usually executed by the end users themselves, can now be entirely executed natively within the network. The third contribution explores the synergy between NFV and COIN, called NFV-COIN. An architecture is proposed to allow the deployment and management of NFV-COIN services, while also offering a high-level interface that allows standardized operation of network services. Experiments were executed on an implemented prototype and results demonstrate the possibility of deploying and executing NFV-COIN services without introducing significant performance losses

    Cache Attacks and Defenses

    Get PDF
    In the digital age, as our daily lives depend heavily on interconnected computing devices, information security has become a crucial concern. The continuous exchange of data between devices over the Internet exposes our information vulnerable to potential security breaches. Yet, even with measures in place to protect devices, computing equipment inadvertently leaks information through side-channels, which emerge as byproducts of computational activities. One particular source of such side channels is the cache, a vital component of modern processors that enhances computational speed by storing frequently accessed data from random access memory (RAM). Due to their limited capacity, caches often need to be shared among concurrently running applications, resulting in vulnerabilities. Cache side-channel attacks, which exploit such vulnerabilities, have received significant attention due to their ability to stealthily compromise information confidentiality and the challenge in detecting and countering them. Consequently, numerous defense strategies have been proposed to mitigate these attacks. This thesis explores these defense strategies against cache side-channels, assesses their effectiveness, and identifies any potential vulnerabilities that could be used to undermine the effectiveness of these defense strategies. The first contribution of this thesis is a software framework to assess the security of secure cache designs. We show that while most secure caches are protected from eviction-set-based attacks, they are vulnerable to occupancybased attacks, which works just as well as eviction-set-based attacks, and therefore should be taken into account when designing and evaluating secure caches. Our second contribution presents a method that utilizes speculative execution to enable high-resolution attacks on low-resolution timers, a common cache attack countermeasure adopted by web browsers. We demonstrate that our technique not only allows for high-resolution attacks to be performed on low-resolution timers, but is also Turing-complete and is capable of performing robust calculations on cache states. Through this research, we uncover a new attack vector on low-resolution timers. By exposing this vulnerability, we hope to prompt the necessary measures to address the issue and enhance the security of systems in the future. Our third contribution is a survey, paired with experimental assessment of cache side-channel attack detection techniques using hardware performance counters. We show that, despite numerous claims regarding their efficacy, most detection techniques fail to perform proper evaluation of their performance, leaving them vulnerable to more advanced attacks. We identify and outline these shortcomings, and furnish experimental evidence to corroborate our findings. Furthermore, we demonstrate a new attack that is capable of compromising these detection methods. Our aim is to bring attention to these shortcomings and provide insights that can aid in the development of more robust cache side-channel attack detection techniques. This thesis contributes to a deeper comprehension of cache side-channel attacks and their potential effects on information security. Furthermore, it offers valuable insights into the efficacy of existing mitigation approaches and detection methods, while identifying areas for future research and development to better safeguard our computing devices and data from these insidious attacks.Thesis (MPhil) -- University of Adelaide, School of Computer and Mathematical Sciences, 202

    Volume II Acquisition Research Creating Synergy for Informed Change, Thursday 19th Annual Acquisition Research Proceedings

    Get PDF
    ProceedingsApproved for public release; distribution is unlimited

    Using Machine Learning for Anomaly Detection on a System-on-Chip under Gamma Radiation

    Get PDF
    The emergence of new nanoscale technologies has imposed significant challenges to designing reliable electronic systems in radiation environments. A few types of radiation like Total Ionizing Dose (TID) effects often cause permanent damages on such nanoscale electronic devices, and current state-of-the-art technologies to tackle TID make use of expensive radiation-hardened devices. This paper focuses on a novel and different approach: using machine learning algorithms on consumer electronic level Field Programmable Gate Arrays (FPGAs) to tackle TID effects and monitor them to replace before they stop working. This condition has a research challenge to anticipate when the board results in a total failure due to TID effects. We observed internal measurements of the FPGA boards under gamma radiation and used three different anomaly detection machine learning (ML) algorithms to detect anomalies in the sensor measurements in a gamma-radiated environment. The statistical results show a highly significant relationship between the gamma radiation exposure levels and the board measurements. Moreover, our anomaly detection results have shown that a One-Class Support Vector Machine with Radial Basis Function Kernel has an average Recall score of 0.95. Also, all anomalies can be detected before the boards stop working

    Applied Methuerstic computing

    Get PDF
    For decades, Applied Metaheuristic Computing (AMC) has been a prevailing optimization technique for tackling perplexing engineering and business problems, such as scheduling, routing, ordering, bin packing, assignment, facility layout planning, among others. This is partly because the classic exact methods are constrained with prior assumptions, and partly due to the heuristics being problem-dependent and lacking generalization. AMC, on the contrary, guides the course of low-level heuristics to search beyond the local optimality, which impairs the capability of traditional computation methods. This topic series has collected quality papers proposing cutting-edge methodology and innovative applications which drive the advances of AMC
    corecore