Software-defined zero-trust network architecture : Evolution from Purdue model -based networking

Digitalization has brought many technological developments which improve the business operations on many industries. In recent years, the drive towards service based solutions has superseded the locally managed solutions towards vendor managed solutions that are managed through the Internet. Unfortunately, the architecture, and the infrastructure which it is based on, have not developed at the same pace. This has led to organizations undermining the architecture and policies designed for it. Therefore, a modern architecture is needed with the capability of supporting these uprising technologies. The objective of this thesis was to find out if Purdue model works as a valid reference architecture for building networks in today’s standards, and if it needs to be replaced, what would be the alternatives. To answer the research question, it was first investigated whether Purdue model can be used for modern network architecture. After that, a literacy review was performed to see what some of the current and modern recommendations are. The literacy review also included research on what some of the current threats to digital platforms are, and how cybersecurity is engineered. It was discovered that zero trust architecture and software defined solutions enhance the overall security and management of the operating environments. The thesis concludes with a logical reference architecture for networks as a suggested solution. The suggested solution is a new network architecture that implements the elements of zero trust and uses software defined networking to manage the underlying infrastructure

Towards a Trustworthy Thin Terminal for Securing Enterprise Networks

Organizations have many employees that lack the technical knowledge to securely operate their machines. These users may open malicious email attachments/links or install unverified software such as P2P programs. These actions introduce significant risk to an organization\u27s network since they allow attackers to exploit the trust and access given to a client machine. However, system administrators currently lack the control of client machines needed to prevent these security risks. A possible solution to address this issue lies in attestation. With respect to computer science, attestation is the ability of a machine to prove its current state. This capability can be used by client machines to remotely attest to their state, which can be used by other machines in the network when making trust decisions. Previous research in this area has focused on the use of a static root of trust (RoT), requiring the use of a chain of trust over the entire software stack. We would argue this approach is limited in feasibility, because it requires an understanding and evaluation of the all the previous states of a machine. With the use of late launch, a dynamic root of trust introduced in the Trusted Platform Module (TPM) v1.2 specification, the required chain of trust is drastically shortened, minimizing the previous states of a machine that must be evaluated. This reduced chain of trust may allow a dynamic RoT to address the limitations of a static RoT. We are implementing a client terminal service that utilizes late launch to attest to its execution. Further, the minimal functional requirements of the service facilitate strong software verification. The goal in designing this service is not to increase the security of the network, but rather to push the functionality, and therefore the security risks and responsibilities, of client machines to the network€™s servers. In doing so, we create a platform that can more easily be administered by those individuals best equipped to do so with the expectation that this will lead to better security practices. Through the use of late launch and remote attestation in our terminal service, the system administrators have a strong guarantee the clients connecting to their system are secure and can therefore focus their efforts on securing the server architecture. This effectively addresses our motivating problem as it forces user actions to occur under the control of system administrators

REMOTE MOBILE SCREEN (RMS): AN APPROACH FOR SECURE BYOD ENVIRONMENTS

Bring Your Own Device (BYOD) is a policy where employees use their own personal mobile devices to perform work-related tasks. Enterprises reduce their costs since they do not have to purchase and provide support for the mobile devices. BYOD increases job satisfaction and productivity in the employees, as they can choose which device to use and do not need to carry two or more devices. However, BYOD policies create an insecure environment, as the corporate network is extended and it becomes harder to protect it from attacks. In this scenario, the corporate information can be leaked, personal and corporate spaces are not separated, it becomes difficult to enforce security policies on the devices, and employees are worried about their privacy. Consequently, a secure BYOD environment must achieve the following goals: space isolation, corporate data protection, security policy enforcement, true space isolation, non-intrusiveness, and low resource consumption. We found that none of the currently available solutions achieve all of these goals. We developed Remote Mobile Screen (RMS), a framework that meets all the goals for a secure BYOD environment. To achieve this, the enterprise provides the employee with a Virtual Machine (VM) running a mobile operating system, which is located in the enterprise network and to which the employee connects using the mobile device. We provide an implementation of RMS using commonly available software for an x86 architecture. We address RMS challenges related to compatibility, scalability and latency. For the first challenge, we show that at least 90.2% of the productivity applications from Google Play can be installed on an x86 architecture, while at least 80.4% run normally. For the second challenge, we deployed our implementation on a high-performance server and run up to 596 VMs using 256 GB of RAM. Further, we show that the number of VMs is proportional to the available RAM. For the third challenge, we used our implementation on GENI and conclude that an application latency of 150 milliseconds can be achieved. Adviser: Byrav Ramamurth

Mitigating BYOD Information Security Risks

Organisations that allow employees to Bring Your Own Device (BYOD) in the workplace trade off the convenience of allowing employees to use their own device against higher risks to the confidentiality, integrity, and availability of organisational information assets. While BYOD is a well-defined and accepted trend in some organisations, there is little research on how policies can address the information security risks posed by BYOD. This paper reviews the extant literature and develops a comprehensive list of information security risks that are associated with allowing BYOD in organisations. This list is then used to evaluate five BYOD policy documents to determine how comprehensively BYOD information security risks are addressed. The outcome of this research shows that of the 13 identified BYOD risks, only 8 were adequately addressed by most of the organisations

FINE-GRAINED ACCESS CONTROL ON ANDROID COMPONENT

The pervasiveness of Android devices in today’s interconnected world emphasizes the importance of mobile security in protecting user privacy and digital assets. Android’s current security model primarily enforces application-level mechanisms, which fail to address component-level (e.g., Activity, Service, and Content Provider) security concerns. Consequently, third-party code may exploit an application’s permissions, and security features like MDM or BYOD face limitations in their implementation. To address these concerns, we propose a novel Android component context-aware access control mechanism that enforces layered security at multiple Exception Levels (ELs), including EL0, EL1, and EL3. This approach effectively restricts component privileges and controls resource access as needed. Our solution comprises Flasa at EL0, extending SELinux policies for inter-component interactions and SQLite content control; Compac, spanning EL0 and EL1, which enforces component-level permission controls through Android runtime and kernel modifications; and TzNfc, leveraging TrustZone technologies to secure third-party services and limit system privileges via Trusted Execution Environment (TEE). Our evaluations demonstrate the effectiveness of our proposed solution in containing component privileges, controlling inter-component interactions and protecting component level resource access. This enhanced solution, complementing Android’s existing security architecture, provides a more comprehensive approach to Android security, benefiting users, developers, and the broader mobile ecosystem

Estado del arte en redes definidas por software (SDN)

The growth of networks at a global level is inevitable due to the increase of users, devices and applications, such as: Internet of Things (IoT), processing and analysis of large amounts of information (Big Data), or streaming audio and video, which has demanded from the systems, greater storage resources and bandwidth. To this purpose, diverse paradigms have emerged for the centralized management of all the components of a network through fully administrable, centralized and dynamic technological platforms; among these is SDN (Software-Defined Networks). This document, consequently, establishes the state-of-art from a documentary research of a categorical type to be used as a frame of reference for research in the area of SDN by the Research Group of New Technologies of Social Application GIDENUTAS ascribed to the University Francisco Jose de Caldas. This is chronologically limited to a review, from 2007 until today, focused on the countries that have promoted the development and implementation of this new paradigm, using databases such as IEEE Xplore, Google Scholar, as well as documents from standardization organizations such as ONF and ITU.El crecimiento de las redes a nivel global es inevitable debido al aumento de usuarios, dispositivos y aplicaciones derivados de conceptos como pueden ser el Internet de las cosas (IoT, de inglés Internet-of-Things), el procesamiento y análisis de grandes cantidades de información (Big Data), o la transmisión de audio y video en vivo (Streaming), lo cual ha demandado de los sistemas mayores recursos de almacenamiento, ancho de banda y alta flexibilidad, entre otras características. Por lo anterior, han emergido paradigmas para la gestión centralizada de todos los componentes de una red mediante plataformas tecnológicas totalmente administrables, centralizadas y dinámicas; entre estas se encuentran SD-WAN (Software Defined-Wide Área Network) o SDR (Software-Defined Radio), ambas surgidas gracias al concepto de las Redes Definidas por Software o SDN (del inglés Software-Defined Networking). El presente documento, en consecuencia, establece un estado de arte a partir de una investigación documental de tipo categorial para utilizarse como un marco de referencia de investigaciones en el área de SDN por el grupo de Investigación de Nuevas Tecnologías de Aplicación Social GIDENUTAS adscrito a la Universidad Distrital Francisco José de Caldas. Esta se limita cronológicamente a una revisión, desde el año 2007 hasta hoy, enfocada en los países que han promovido el desarrollo e implementación de este nuevo paradigma, recurriendo a bases de datos como IEEE Xplore, Google Scholar, así como documentos de organizaciones de estandarización como la ONF y la ITU

CrowdAdaptor: A Crowd Sourcing Approach toward Adaptive Energy-Efficient Configurations of Virtual Machines Hosting Mobile Applications

Applications written by end-user programmers are hardly energy-optimized by these programmers. The end users of such applications thus suffer significant energy issues. In this paper, we propose CrowdAdaptor, a novel approach toward locating energy-efficient configurations to execute the applications hosted in virtual machines on handheld devices. CrowdAdaptor innovatively makes use of the development artifacts (test cases) and the very large installation base of the same application to distribute the test executions and performance data collection of the whole test suites against many different virtual machine configurations among these installation bases. It synthesizes these data, continuously discovers better energy-efficient configurations, and makes them available to all the installations of the same applications. We report a multi-subject case study on the ability of the framework to discover energy-efficient configurations in three power models. The results show that Crowd Adaptor can achieve up to 50% of energy savings based on a conservative linear power model.published_or_final_versio