54 research outputs found
Proceedings of the Workshop on web applications and secure hardware (WASH 2013).
Web browsers are becoming the platform of choice for applications that need to work across a wide range of different devices, including mobile phones, tablets, PCs, TVs and in-car systems. However, for web applications which require a higher level of assurance, such as online banking, mobile payment, and media distribution (DRM), there are significant security and privacy challenges. A potential solution to some of these problems can be found in the use of secure hardware – such as TPMs, ARM TrustZone, virtualisation and secure elements – but these are rarely accessible to web applications or used by web browsers. The First Workshop on Web Applications and Secure Hardware (WASH'13) focused on how secure hardware could be used to enhance web applications and web browsers to provide functionality such as credential storage, attestation and secure execution. This included challenges in compatibility (supporting the same security features despite different user hardware) as well as multi-device scenarios where a device with hardware mechanisms can help provide assurance for systems without. Also of interest were proposals to enhance existing security mechanisms and protocols, security models where the browser is not trusted by the web application, and enhancements to the browser itself
PALANTIR: Zero-trust architecture for Managed Security Service Provider
The H2020 PALANTIR project aims at delivering a Security-as-a-Service solution to SMEs and microenterprises via the exploitation of containerised Network Functions. However, these functions are conceived by third-party developers and can also be deployed in untrustworthy virtualisation layers, depending on the subscribed delivery model. Therefore, they cannot be trusted and require a stringent monitoring to ensure their harmlessness, as well as adequate measures to remediate any nefarious activities. This paper justifies, details and evaluates a Zero-Trust architecture supporting PALANTIR’s solution. Specifically, PALANTIR periodically attests the service and infrastructure’s components for signs of compromise by implementing the Trusted Computing paradigm. Verification addresses the firmware, OS and software using UEFI measured boot and Linux Integrity Measurement Architecture, extended to support containerised application attestation. Mitigation actions are supervised by the Recovery Service and the Security Orchestrator based on OSM to, respectively, determine the adequate remediation actions from a recovery policy and enforce them down to the lower layers of the infrastructure through local authenticated enablers. We detail an implementation prototype serving a baseline for quantitative evaluation of our work
A novel architecture to virtualise a hardware-bound trusted platform module
Security and trust are particularly relevant in modern softwarised infrastructures, such as cloud environments, as applications are deployed on platforms owned by third parties, are publicly accessible on the Internet and can share the hardware with other tenants. Traditionally, operating systems and applications have leveraged hardware tamper-proof chips, such as the Trusted Platform Modules (TPMs) to implement security workflows, such as remote attestation, and to protect sensitive data against software attacks. This approach does not easily translate to the cloud environment, wherein the isolation provided by the hypervisor makes it impractical to leverage the hardware root of trust in the virtual domains. Moreover, the scalability needs of the cloud often collide with the scarce hardware resources and inherent limitations of TPMs. For this reason, existing implementations of virtual TPMs (vTPMs) are based on TPM emulators. Although more flexible and scalable, this approach is less secure. In fact, each vTPM is vulnerable to software attacks both at the virtualised and hypervisor levels. In this work, we propose a novel design for vTPMs that provides a binding to an underlying physical TPM; the new design, akin to a virtualisation extension for TPMs, extends the latest TPM 2.0 specification. We minimise the number of required additions to the TPM data structures and commands so that they do not require a new, non-backwards compatible version of the specification. Moreover, we support migration of vTPMs among TPM-equipped hosts, as this is considered a key feature in a highly virtualised environment. Finally, we propose a flexible approach to vTPM object creation that protects vTPM secrets either in hardware or software, depending on the required level of assurance
myTrustedCloud: Trusted cloud infrastructure for security-critical computation and data managment
Copyright @ 2012 IEEECloud Computing provides an optimal infrastructure to utilise and share both computational and data resources whilst allowing a pay-per-use model, useful to cost-effectively manage hardware investment or to maximise its utilisation. Cloud Computing also offers transitory access to scalable amounts of computational resources, something that is particularly important due to the time and financial constraints of many user communities. The growing number of communities that are adopting large public cloud resources such as Amazon Web Services [1] or Microsoft Azure [2] proves the success and hence usefulness of the Cloud Computing paradigm. Nonetheless, the typical use cases for public clouds involve non-business critical applications, particularly where issues around security of utilization of applications or deposited data within shared public services are binding requisites. In this paper, a use case is presented illustrating how the integration of Trusted Computing technologies into an available cloud infrastructure - Eucalyptus - allows the security-critical energy industry to exploit the flexibility and potential economical benefits of the Cloud Computing paradigm for their business-critical applications
Authorisation Issues for Mobile Code in Mobile Systems
This thesis is concerned with authorisation issues for mobile code in mobile
systems. It is divided into three main parts. Part I covers the development
of a policy-based framework for the authorisation of mobile code and agents
by host systems. Part II addresses the secure download, storage and execution
of a conditional access application, used in the secure distribution of digital
video broadcast content. Part III explores the way in which trusted computing
technology may be used in the robust implementation of OMA DRM version 2.
In part I of this thesis, we construct a policy-based mobile code and agent
authorisation framework, with the objective of providing both mobile devices
and service providers with the ability to assign appropriate privileges to
incoming executables. Whilst mobile code and agent authorisation mechanisms have
previously been considered in a general context, this thesis focuses on the special
requirements resulting from mobile code and agent authorisation in a mobile
environment, which restrict the types of solutions that may be viable. Following
the description and analysis of a number of architectural models upon which a
policy-based framework for mobile code and agent authorisation may be
constructed, we outline a list of features desirable in the definitive underlying
architecture. Specific implementation requirements for the capabilities of the policy
and attribute certificate specification languages and the associated policy engine
are then extracted. Candidate policy specification languages, namely KeyNote
(and Nereus), Ponder (and (D)TPL) and SAML are then examined, and
conclusions drawn regarding their suitability for framework expression. Finally, the
definitive policy based framework for mobile code and agent authorisation is
described.
In the second part of this thesis, a flexible approach that allows consumer
products to support a wide range of proprietary content protection systems, or
more specifically digital video broadcast conditional access systems, is proposed.
Two protocols for the secure download of content protection software to mobile
devices are described. The protocols apply concepts from trusted computing to
demonstrate that a platform is in a sufficiently trustworthy state before any
application or associated keys are securely downloaded. The protocols are designed
to allow mobile devices to receive broadcast content protected by proprietary
conditional access applications. Generic protocols are first described, followed
by an analysis of how well the downloaded code is protected in transmission.
How the generic protocols may be implemented using specific trusted
computing technologies is then investigated. For each of the selected trusted computing
technologies, an analysis of how the conditional access application is protected
while in storage and while executing on the mobile host is also presented. We
then examine two previously proposed download protocols, which assume a
mobile receiver compliant with the XOM and AEGIS system architectures. Both
protocols are then analysed against the security requirements defined for secure
application download, storage and execution. We subsequently give a series
of proposed enhancements to the protocols which are designed to address the
identified shortcomings.
In the final section of this thesis, we examine OMA DRM version 2, which
defines the messages, protocols and mechanisms necessary in order to control
the use of digital content in a mobile environment. However, an organisation,
such as the CMLA, must specify how robust implementations of the OMA DRM
version 2 specification should be, so that content providers can be confident that
their content will be safe on OMA DRM version 2 devices. We take the
requirements extracted for the robust implementation of the OMA DRM version 2
specification and propose an implementation which meets these requirements
using the TCG architecture and TPM/TSS version 1.2 commands
Attestation in Trusted Computing: Challenges and Potential Solutions
This report examines the state of play in TCG attestation. It asks the question: how practical is the attestation specification and does it meet the needs of designs that propose to take advantage of trusted computing functionality? It is shown that, broadly speaking, both specification and implementation falls short of its stated goals. Application designs expect different semantics. Straightforward application of attestation to a running system does not provide adequate assurance nor does it scale. It is argued that extending the TCG architecture and reworking application designs are the most viable routes to making attestation a practical proposition
Secure and Trusted Execution:Past, Present, and Future - A Critical Review in the Context of the Internet of Things and Cyber-Physical Systems
International audienc
Enhancing End User Security - Attacks & Solutions
End user computing environments, e.g. web browsers and PC operating
systems, are the target of a large number of attacks, both online
and offline. The nature of these attacks varies from simple online
attacks, such as user tracking using cookies, to more sophisticated
attacks on security protocols and cryptographic algorithms. Other
methods of attack exist that target end user applications that
utilise and interact with cryptographic functions provided by the PC
operating system.
After providing a general introduction to the security techniques
and protocols used in this thesis, a review of possible threats to
end user computing environments is given, followed by a discussion
of the countermeasures needed to combat these threats. The
contributions of this thesis include three new approaches for
enhancing the security of end user systems, together with an
analysis and a prototype implementation of an end user security
enhancement tool. The following paragraphs summarise the three main
contributions of this thesis.
Digitally signing a digital document is a straightforward procedure;
however, when the digital document contains dynamic content, the
digital signature may remain valid but the viewed document may not
be the same as the document when viewed by the signer. A new
solution is proposed to solve the problem; the main idea behind the
solution is to make the application aware of the sensitive
cryptographic function being requested.
In order to verify a digital signature computed on a document or any
other object (e.g. an executable), access to the public key
corresponding to the private key used to sign the document is
required. Normally, the public part of the key is made available in
a digital 'certificate', which is made up of the public key of the
signer, the name of the signer, and other data, all signed using the
private signing key of a trusted third party known as a
Certification Authority (CA). To verify such a certificate, and
thereby obtain a trusted copy of the document signer's public key, a
trusted copy of the CA's public key is required. If a malicious
party can insert a fake CA public key into the list of CA public
keys stored in a PC, then this party could potentially do
considerable harm to that PC, since this malicious party could then
forge signatures apparently created by other entities. A method of
achieving such an attack without attracting the user's attention is
presented in this thesis. Countermeasures that can be deployed to
prevent the insertion of a fake root public key are discussed. A
suggested solution that can be used to detect and remove such fake
keys is presented, and a prototype implementation of this solution
is described.
SSL/TLS supports mutual authentication, i.e. both server and client
authentication, using public key certificates. However, this
optional feature of SSL/TLS is not widely used because most end
users do not have a certified public key. Certain attacks rely on
this fact, such as web spoofing and phishing attacks. A method for
supporting client-side SSL authentication using trusted computing
platforms is proposed. The proposed approach makes a class of
phishing attacks ineffective; moreover, the proposed method can also
be used to protect against other online attacks
Security and trust in a Network Functions Virtualisation Infrastructure
L'abstract è presente nell'allegato / the abstract is in the attachmen
- …