2,357 research outputs found
DASICS: Enhancing Memory Protection with Dynamic Compartmentalization
In the existing software development ecosystem, security issues introduced by
third-party code cannot be overlooked. Among these security concerns, memory
access vulnerabilities stand out prominently, leading to risks such as the
theft or tampering of sensitive data. To address this issue, software-based
defense mechanisms have been established at the programming language, compiler,
and operating system levels. However, as a trade-off, these mechanisms
significantly reduce software execution efficiency. Hardware-software co-design
approaches have sought to either construct entirely isolated trusted execution
environments or attempt to partition security domains within the same address
space. While such approaches enhance efficiency compared to pure software
methods, they also encounter challenges related to granularity of protection,
performance overhead, and portability. In response to these challenges, we
present the DASICS (Dynamic in-Address-Space Isolation by Code Segments) secure
processor design, which offers dynamic and flexible security protection across
multiple privilege levels, addressing data flow protection, control flow
protection, and secure system calls. We have implemented hardware FPGA
prototypes and software QEMU simulator prototypes based on DASICS, along with
necessary modifications to system software for adaptability. We illustrate the
protective mechanisms and effectiveness of DASICS with two practical examples
and provide potential real-world use cases where DASICS could be applied.Comment: 16 pages, 6 figure
Encryption AXI Transaction Core for Enhanced FPGA Security
The current hot topic in cyber-security is not constrained to software layers. As attacks on electronic circuits have become more usual and dangerous, hardening digital System-on-Chips has become crucial. This article presents a novel electronic core to encrypt and decrypt data between two digital modules through an Advanced eXtensible Interface (AXI) connection. The core is compatible with AXI and is based on a Trivium stream cipher. Its implementation has been tested on a Zynq platform. The core prevents unauthorized data extraction by encrypting data on the fly. In addition, it takes up a small area—242 LUTs—and, as the core’s AXI to AXI path is fully combinational, it does not interfere with the system’s overall performance, with a maximum AXI clock frequency of 175 MHz.This work has been supported within the fund for research groups of the Basque university system IT1440-22 by the Department of Education and within the PILAR ZE-2020/00022 and COMMUTE ZE-2021/00931 projects by the Hazitek program, both of the Basque Government, the latter also by the Ministerio de Ciencia e InnovaciĂłn of Spain through the Centro para el Desarrollo TecnolĂłgico Industrial (CDTI) within the project IDI-20201264 and IDI-20220543 and through the Fondo Europeo de Desarrollo Regional 2014–2020 (FEDER funds)
Assessing and augmenting SCADA cyber security: a survey of techniques
SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability
Applications of Context-Aware Systems in Enterprise Environments
In bring-your-own-device (BYOD) and corporate-owned, personally enabled (COPE) scenarios, employees’ devices store both enterprise and personal data, and have the ability to remotely access a secure enterprise network. While mobile devices enable users to access such resources in a pervasive manner, it also increases the risk of breaches for sensitive enterprise data as users may access the resources under insecure circumstances. That is, access authorizations may depend on the context in which the resources are accessed. In both scenarios, it is vital that the security of accessible enterprise content is preserved. In this work, we explore the use of contextual information to influence access control decisions within context-aware systems to ensure the security of sensitive enterprise data. We propose several context-aware systems that rely on a system of sensors in order to automatically adapt access to resources based on the security of users’ contexts. We investigate various types of mobile devices with varying embedded sensors, and leverage these technologies to extract contextual information from the environment. As a direct consequence, the technologies utilized determine the types of contextual access control policies that the context-aware systems are able to support and enforce. Specifically, the work proposes the use of devices pervaded in enterprise environments such as smartphones or WiFi access points to authenticate user positional information within indoor environments as well as user identities
Enabling Edge Computing Using Container Orchestration and Software Defined Networking
With software-defined wide-area networks (SD-WAN) being increasingly adopted, and Kubernetes becoming the de-facto container orchestration tool, the opportunities for deploying edge-computing applications running over a SD-WAN scenario are vast. In this context, a service discovery function will help developing a dynamic infrastructure where clients are able to seek and find particular services. Service discovery also enables a self-healing network capable of detecting the unavailable services. Most of the research in the service discovery field focuses in the discovery of cloud-based services over software-defined networks (SDN). A lack of research in containerized service discovery over SD-WAN is evident. In this thesis, an in-house service discovery solution that works alongside a container orchestrator for allowing an improved traffic handling and better user experience through containerized service discovery and service requests redirection is developed. First, a proof-of-concept SD-WAN topology was implemented alongside a Kubernetes cluster and the in-house service discovery solution. Next, the implementation's performance is tested based on the time required for discovering whether a service has been created, updated or removed. Finally, improvements in node distance computation, local breakout support and the usage of data plane programmability are discussed
Design and implementation of serverless architecture for i2b2 on AWS cloud and Snowflake data warehouse
Informatics for Integrating Biology and the Beside (i2b2) is an open-source medical tool for cohort discovery that allows researchers to explore and query clinical data. The i2b2 platform is designed to adopt any patient-centric data models and used at over 400 healthcare institutions worldwide for querying patient data. The platform consists of a webclient, core servers and database. Despite having installation guidelines, the complex architecture of the system with numerous dependencies and configuration parameters makes it difficult to install a functional i2b2 platform. On the other hand, maintaining the scalability, security, availability of the application is also challenging and requires lot of resources. Our aim was to deploy the i2b2 for University of Missouri (UM) System in the cloud as well as reduce the complexity and effort of the installation and maintenance process. Our solution encapsulated the complete installation process of each component using docker and deployed the container in the AWS Virtual Private Cloud (VPC) using several AWS PaaS (Platform as a Service), IaaS (Infrastructure as a Service) services. We deployed the application as a service in the AWS FARGATE, an on-demand, serverless, auto scalable compute engine. We also enhanced the functionality of i2b2 services and developed Snowflake JDBC driver support for i2b2 backend services. It enabled i2b2 services to query directly from Snowflake analytical database. In addition, we also created i2b2-data-installer package to load PCORnet CDM and ACT ontology data into i2b2 database. The i2b2 platform in University of Missouri holds 1.26B facts of 2.2M patients of UM Cerner Millennium data.Includes bibliographical references
- …