Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems, cyber risk at the edge

The Internet of Things (IoT) triggers new types of cyber risks. Therefore, the integration of new IoT devices and services requires a self-assessment of IoT cyber security posture. By security posture this article refers to the cybersecurity strength of an organisation to predict, prevent and respond to cyberthreats. At present, there is a gap in the state of the art, because there are no self-assessment methods for quantifying IoT cyber risk posture. To address this gap, an empirical analysis is performed of 12 cyber risk assessment approaches. The results and the main findings from the analysis is presented as the current and a target risk state for IoT systems, followed by conclusions and recommendations on a transformation roadmap, describing how IoT systems can achieve the target state with a new goal-oriented dependency model. By target state, we refer to the cyber security target that matches the generic security requirements of an organisation. The research paper studies and adapts four alternatives for IoT risk assessment and identifies the goal-oriented dependency modelling as a dominant approach among the risk assessment models studied. The new goal-oriented dependency model in this article enables the assessment of uncontrollable risk states in complex IoT systems and can be used for a quantitative self-assessment of IoT cyber risk posture

A Survey of Green Networking Research

Reduction of unnecessary energy consumption is becoming a major concern in wired networking, because of the potential economical benefits and of its expected environmental impact. These issues, usually referred to as "green networking", relate to embedding energy-awareness in the design, in the devices and in the protocols of networks. In this work, we first formulate a more precise definition of the "green" attribute. We furthermore identify a few paradigms that are the key enablers of energy-aware networking research. We then overview the current state of the art and provide a taxonomy of the relevant work, with a special focus on wired networking. At a high level, we identify four branches of green networking research that stem from different observations on the root causes of energy waste, namely (i) Adaptive Link Rate, (ii) Interface proxying, (iii) Energy-aware infrastructures and (iv) Energy-aware applications. In this work, we do not only explore specific proposals pertaining to each of the above branches, but also offer a perspective for research.Comment: Index Terms: Green Networking; Wired Networks; Adaptive Link Rate; Interface Proxying; Energy-aware Infrastructures; Energy-aware Applications. 18 pages, 6 figures, 2 table

The Legacy of Multics and Secure Operating Systems Today

This paper looks to the legacy of Multics from 1963 and its influence on computer security. It discusses kernel-based and virtualization-based containment in projects like SELinux and Qubes, respectively. The paper notes the importance of collaborative and research-driven projects like Qubes and Tor Project

The Road Ahead for Networking: A Survey on ICN-IP Coexistence Solutions

In recent years, the current Internet has experienced an unexpected paradigm shift in the usage model, which has pushed researchers towards the design of the Information-Centric Networking (ICN) paradigm as a possible replacement of the existing architecture. Even though both Academia and Industry have investigated the feasibility and effectiveness of ICN, achieving the complete replacement of the Internet Protocol (IP) is a challenging task. Some research groups have already addressed the coexistence by designing their own architectures, but none of those is the final solution to move towards the future Internet considering the unaltered state of the networking. To design such architecture, the research community needs now a comprehensive overview of the existing solutions that have so far addressed the coexistence. The purpose of this paper is to reach this goal by providing the first comprehensive survey and classification of the coexistence architectures according to their features (i.e., deployment approach, deployment scenarios, addressed coexistence requirements and architecture or technology used) and evaluation parameters (i.e., challenges emerging during the deployment and the runtime behaviour of an architecture). We believe that this paper will finally fill the gap required for moving towards the design of the final coexistence architecture.Comment: 23 pages, 16 figures, 3 table

A security perspective on Unikernels

Cloud-based infrastructures have grown in popularity over the last decade leveraging virtualisation, server, storage, compute power and network components to develop flexible applications. The requirements for instantaneous deployment and reduced costs have led the shift from virtual machine deployment to containerisation, increasing the overall flexibility of applications and increasing performances. However, containers require a fully fleshed operating system to execute, increasing the attack surface of an application. Unikernels, on the other hand, provide a lightweight memory footprint, ease of application packaging and reduced start-up times. Moreover, Unikernels reduce the attack surface due to the self-contained environment only enabling low-level features. In this work, we provide an exhaustive description of the unikernel ecosystem; we demonstrate unikernel vulnerabilities and further discuss the security implications of Unikernel-enabled environments through different use-cases

Interoperabilidade e mobilidade na internet do futuro

Research on Future Internet has been gaining traction in recent years, with both evolutionary (e.g., Software Defined Networking (SDN)- based architectures) and clean-slate network architectures (e.g., Information Centric Networking (ICN) architectures) being proposed. With each network architectural proposal aiming to provide better solutions for specific Internet utilization requirements, an heterogeneous Future Internet composed by several architectures can be expected, each targeting and optimizing different use case scenarios. Moreover, the increasing number of mobile devices, with increasing capabilities and supporting different connectivity technologies, are changing the patterns of traffic exchanged in the Internet. As such, this thesis focuses on the study of interoperability and mobility in Future Internet architectures, two key requirements that need to be addressed for the widely adoption of these network architectures. The first contribution of this thesis is an interoperability framework that, by enabling resources to be shared among different network architectures, avoids resources to be restricted to a given network architecture and, at the same time, promotes the initial roll out of new network architectures. The second contribution of this thesis consists on the development of enhancements for SDN-based and ICN network architectures through IEEE 802.21 mechanisms to facilitate and optimize the handover procedures on those architectures. The last contribution of this thesis is the definition of an inter-network architecture mobility framework that enables MNs to move across access network supporting different network architectures without losing the reachability to resources being accessed. All the proposed solutions were evaluated with results highlighting the feasibility of such solutions and the impact on the overall communication.A Internet do Futuro tem sido alvo de vários estudos nos últimos anos, com a proposta de arquitecturas de rede seguindo quer abordagens evolutionárias (por exemplo, Redes Definidas por Software (SDN)) quer abordagens disruptivas (por exemplo, Redes Centradas na Informação (ICN)). Cada uma destas arquitecturas de rede visa providenciar melhores soluções relativamente a determinados requisitos de utilização da Internet e, portanto, uma Internet do Futuro heterogénea composta por diversas arquitecturas de rede torna-se uma possibilidade, onde cada uma delas é usada para optimizar diferentes casos de utilização. Para além disso, o aumento do número de dispositivos móveis, com especificações acrescidas e com suporte para diferentes tecnologias de conectividade, está a mudar os padrões do tráfego na Internet. Assim, esta tese foca-se no estudo de aspectos de interoperabilidade e mobilidade em arquitecturas de rede da Internet do Futuro, dois importantes requisitos que necessitam de ser satisfeitos para que a adopção destas arquitecturas de rede seja considerada. A primeira contribuição desta tese é uma solução de interoperabilidade que, uma vez que permite que recursos possam ser partilhados por diferentes arquitecturas de rede, evita que os recursos estejam restringidos a uma determinada arquitectura de rede e, ao mesmo tempo, promove a adopção de novas arquitecturas de rede. A segunda contribuição desta tese consiste no desenvolvimento de extensões para arquitecturas de rede baseadas em SDN ou ICN através dos mecanismos propostos na norma IEEE 802.21 com o objectivo de facilitar e optimizar os processos de mobilidade nessas arquitecturas de rede. Finalmente, a terceira contribuição desta tese é a definição de uma solução de mobilidade envolvendo diferentes arquitecturas de rede que permite a mobilidade de dispositivos móveis entre redes de acesso que suportam diferentes arquitecturas de rede sem que estes percam o acesso aos recursos que estão a ser acedidos. Todas as soluções propostas foram avaliadas com os resultados a demonstrar a viabilidade de cada uma das soluções e o impacto que têm na comunicação.Programa Doutoral em Informátic

Dovetail: Stronger Anonymity in Next-Generation Internet Routing

Current low-latency anonymity systems use complex overlay networks to conceal a user's IP address, introducing significant latency and network efficiency penalties compared to normal Internet usage. Rather than obfuscating network identity through higher level protocols, we propose a more direct solution: a routing protocol that allows communication without exposing network identity, providing a strong foundation for Internet privacy, while allowing identity to be defined in those higher level protocols where it adds value. Given current research initiatives advocating "clean slate" Internet designs, an opportunity exists to design an internetwork layer routing protocol that decouples identity from network location and thereby simplifies the anonymity problem. Recently, Hsiao et al. proposed such a protocol (LAP), but it does not protect the user against a local eavesdropper or an untrusted ISP, which will not be acceptable for many users. Thus, we propose Dovetail, a next-generation Internet routing protocol that provides anonymity against an active attacker located at any single point within the network, including the user's ISP. A major design challenge is to provide this protection without including an application-layer proxy in data transmission. We address this challenge in path construction by using a matchmaker node (an end host) to overlap two path segments at a dovetail node (a router). The dovetail then trims away part of the path so that data transmission bypasses the matchmaker. Additional design features include the choice of many different paths through the network and the joining of path segments without requiring a trusted third party. We develop a systematic mechanism to measure the topological anonymity of our designs, and we demonstrate the privacy and efficiency of our proposal by simulation, using a model of the complete Internet at the AS-level

Recursive internetwork architecture, investigating RINA as an alternative to TCP/IP (IRATI)

Driven by the requirements of the emerging applications and networks, the Internet has become an architectural patchwork of growing complexity which strains to cope with the changes. Moore’s law prevented us from recognising that the problem does not hide in the high demands of today’s applications but lies in the flaws of the Internet’s original design. The Internet needs to move beyond TCP/IP to prosper in the long term, TCP/IP has outlived its usefulness. The Recursive InterNetwork Architecture (RINA) is a new Internetwork architecture whose fundamental principle is that networking is only interprocess communication (IPC). RINA reconstructs the overall structure of the Internet, forming a model that comprises a single repeating layer, the DIF (Distributed IPC Facility), which is the minimal set of components required to allow distributed IPC between application processes. RINA supports inherently and without the need of extra mechanisms mobility, multi-homing and Quality of Service, provides a secure and configurable environment, motivates for a more competitive marketplace and allows for a seamless adoption. RINA is the best choice for the next generation networks due to its sound theory, simplicity and the features it enables. IRATI’s goal is to achieve further exploration of this new architecture. IRATI will advance the state of the art of RINA towards an architecture reference model and specifcations that are closer to enable implementations deployable in production scenarios. The design and implemention of a RINA prototype on top of Ethernet will permit the experimentation and evaluation of RINA in comparison to TCP/IP. IRATI will use the OFELIA testbed to carry on its experimental activities. Both projects will benefit from the collaboration. IRATI will gain access to a large-scale testbed with a controlled network while OFELIA will get a unique use-case to validate the facility: experimentation of a non-IP based Internet

High-speed, in-band performance measurement instrumentation for next generation IP networks

Facilitating always-on instrumentation of Internet traffic for the purposes of performance measurement is crucial in order to enable accountability of resource usage and automated network control, management and optimisation. This has proven infeasible to date due to the lack of native measurement mechanisms that can form an integral part of the network‟s main forwarding operation. However, Internet Protocol version 6 (IPv6) specification enables the efficient encoding and processing of optional per-packet information as a native part of the network layer, and this constitutes a strong reason for IPv6 to be adopted as the ubiquitous next generation Internet transport. In this paper we present a very high-speed hardware implementation of in-line measurement, a truly native traffic instrumentation mechanism for the next generation Internet, which facilitates performance measurement of the actual data-carrying traffic at small timescales between two points in the network. This system is designed to operate as part of the routers' fast path and to incur an absolutely minimal impact on the network operation even while instrumenting traffic between the edges of very high capacity links. Our results show that the implementation can be easily accommodated by current FPGA technology, and real Internet traffic traces verify that the overhead incurred by instrumenting every packet over a 10 Gb/s operational backbone link carrying a typical workload is indeed negligible