Using MACsec to protect a Network Functions Virtualisation Infrastructure

IEEE 802.1AE is a standard for Media Access Control security (MACsec), which enables data integrity, authentication, and confidentiality for traffic in a broadcast domain. This protects network communications against attacks at link layer, hence it provides a higher degree of security and flexibility compared to other security protocols, such as IPsec. Softwarised network infrastructures, based on Network Functions Virtualisation (NFV) and Software Defined Networking (SDN), provide higher flexibility than traditional networks. Nonetheless, these networks have a larger attack surface compared to legacy infrastructures based on hardware appliances. In this scenario, communication security is important to ensure that the traffic in a broadcast domain is not intercepted or manipulated. We propose an architecture for centralised management of MACsec-enabled switches in a NFV environment. Moreover, we present a PoC that integrates MACsec in the Open Source MANO NFV framework and we evaluate its performance

Integrity Verification of Distributed Nodes in Critical Infrastructures

The accuracy and reliability of time synchronization and distribution are essential requirements for many critical infrastructures, including telecommunication networks, where 5G technologies place increasingly stringent conditions in terms of maintaining highly accurate time. A lack of synchronization between the clocks causes a malfunction of the 5G network, preventing it from providing a high quality of service; this makes the time distribution network a very viable target for attacks. Various solutions have been analyzed to mitigate attacks on the Global Navigation Satellite System (GNSS) radio-frequency spectrum and the Precision Time Protocol (PTP) used for time distribution over the network. This paper highlights the significance of monitoring the integrity of the software and configurations of the infrastructural nodes of a time distribution network. Moreover, this work proposes an attestation scheme, based on the Trusted Computing principles, capable of detecting both software violations on the nodes and hardware attacks aimed at tampering with the configuration of the GNSS receivers. The proposed solution has been implemented and validated on a testbed representing a typical synchronization distribution network. The results, simulating various types of adversaries, emphasize the effectiveness of the proposed approach in a wide range of typical attacks and the certain limitations that need to be addressed to enhance the security of the current GNSS receivers

PALANTIR: Zero-trust architecture for Managed Security Service Provider

The H2020 PALANTIR project aims at delivering a Security-as-a-Service solution to SMEs and microenterprises via the exploitation of containerised Network Functions. However, these functions are conceived by third-party developers and can also be deployed in untrustworthy virtualisation layers, depending on the subscribed delivery model. Therefore, they cannot be trusted and require a stringent monitoring to ensure their harmlessness, as well as adequate measures to remediate any nefarious activities. This paper justifies, details and evaluates a Zero-Trust architecture supporting PALANTIR’s solution. Specifically, PALANTIR periodically attests the service and infrastructure’s components for signs of compromise by implementing the Trusted Computing paradigm. Verification addresses the firmware, OS and software using UEFI measured boot and Linux Integrity Measurement Architecture, extended to support containerised application attestation. Mitigation actions are supervised by the Recovery Service and the Security Orchestrator based on OSM to, respectively, determine the adequate remediation actions from a recovery policy and enforce them down to the lower layers of the infrastructure through local authenticated enablers. We detail an implementation prototype serving a baseline for quantitative evaluation of our work

Counteracting software integrity attacks on IoT devices with remote attestation: a prototype

Internet of Things (IoT) devices are increasingly deployed nowadays in various security-sensitive contexts, e.g., inside homes or in critical infrastructures. The data they collect is of interest to attackers as it may reveal living habits, personal data, or the operational status of specific targets. This paper presents an approach to counter software manipulation attacks against running processes, data, or configuration files on an IoT device, by exploiting trusted computing techniques and remote attestation. We have used a Raspberry Pi 4 single-board computer device equipped with Infineon Trusted Platform Module (TPM) v2, acting as an attester. A verifier node continuously monitors the attester and checks its integrity through remote attestation protocol and TPM-enabled operations. We have exploited the Keylime framework from MIT Lincoln Laboratories as remote attestation software. Through tests, we show that remote attestation can be peribrmed within short time (in order of seconds), allowing to restrict the window of exposure of such devices to attacks against the running software and/or hosted data

Exploiting the DICE specification to ensure strong identity and integrity of IoT devices

IoT devices are becoming widely used in several contexts, and nowadays billions of devices are deployed in different scenarios, some of which are very critical to people’s privacy and safety. For these reasons, it is very important to provide capabilities for guaranteeing the correct behaviour of the devices. Remote attestation is a technique traditionally used to monitor the integrity status of nodes and to determine if they are behaving as expected. This technique requires that the device is equipped with Roots of Trust, that are the set of hardware and software features that make the platform capable of providing reliable integrity reports even when it has been compromised. This paper proposes a solution that permits to identify and attest devices in a dynamic context, such as Smart Cities or Smart Homes, where unknown devices can connect to the network and perform several actions. The proposed security schema is based on the Device Identity Composition Engine (DICE), which represents a set of specifications designed by the Trusted Computing Group (TCG) to enhance security and privacy of devices with minimal silicon requirements

Heat shock proteins in cancer stem cell maintenance: a potential therapeutic target?

Cancer stem cells (CSCs) are a subpopulation of tumor cells with unlimited self-renewal capability, multilineage differentiation potential and long-term tumor repopulation capacity. CSCs reside in anatomically distinct regions within the tumor microenvironment, called niches, and this favors the maintenance of CSC properties and preserves their phenotypic plasticity. Indeed, CSCs are characterized by a flexible state based on their capacity to interconvert between a differentiated and a stem-like phenotype, and this depends on the activation of adaptive mechanisms in response to different environmental conditions. Heat Shock Proteins (HSPs) are molecular chaperones, upregulated upon cell exposure to several stress conditions and are responsible for normal maturation, localization and activity of intra and extracellular proteins. Noteworthy, HSPs play a central role in several cellular processes involved in tumor initiation and progression (i.e. cell viability, resistance to apoptosis, stress conditions and drug therapy, EMT, bioenergetics, invasiveness, metastasis formation) and, thus, are widely considered potential molecular targets. Furthermore, much evidence suggests a key regulatory function for HSPs in CSC maintenance and their upregulation has been proposed as a mechanism used by CSCs to adapt to unfavorable environmental conditions, such as nutrient deprivation, hypoxia, inflammation. This review discusses the relevance of HSPs in CSC biology, highlighting their role as novel potential molecular targets to develop anticancer strategies aimed at CSC targeting

Mitigating Software Integrity Attacks With Trusted Computing in a Time Distribution Network

Time Distribution Networks (TDNs) evolve as new technologies occur to ensure more accurate, reliable, and secure timing information. These networks typically exploit several distributed time servers, organized in a master-slave architecture, that communicate via dedicated timing protocols. From the security perspective, timing data must be protected since its modification or filtering can lead to grave consequences in different time-based contexts, such as health, energy, finance, or transportation. Thus, adequate countermeasures must be employed in all the stages and systems handling timing data from its calculation until it reaches the final users. We consider a TDN offering highly accurate (nanosecond level) time synchronization through specific time unit devices that exploit terrestrial atomic or rubidium clocks and Global Navigation Satellite Systems (GNSS) receivers. Such devices are appealing targets for attackers, who might exploit various attack vectors to compromise their functionality. We individuate three possible software integrity attacks against time devices, and we propose a solution to counter them by exploiting the cryptographic Trusted Platform Module (TPM), defined and supported by the Trusted Computing Group. We used remote attestation software for cloud environments, namely the Keylime framework, to verify (periodically) the software daemons running on the time devices (or their configuration) from a trusted node. Experiments performed on a dedicated testbed set up in the ROOT project with customized time unit devices from Seven Solutions (currently Orolia Spain) allow us to demonstrate that exploiting TPMs and remote attestation in the TDNs is not only helpful but is fundamental for discovering some attacks that would remain otherwise undetected. Our work helps thus TDN operators build more robust, accurate, and secure time synchronization services

Endoplasmic Reticulum Stress and Unfolded Protein Response in Breast Cancer: The Balance between Apoptosis and Autophagy and Its Role in Drug Resistance

The unfolded protein response (UPR) is a stress response activated by the accumulation of unfolded or misfolded proteins in the lumen of the endoplasmic reticulum (ER) and its uncontrolled activation is mechanistically responsible for several human pathologies, including metabolic, neurodegenerative, and inflammatory diseases, and cancer. Indeed, ER stress and the downstream UPR activation lead to changes in the levels and activities of key regulators of cell survival and autophagy and this is physiologically finalized to restore metabolic homeostasis with the integration of pro-death or/and pro-survival signals. By contrast, the chronic activation of UPR in cancer cells is widely considered a mechanism of tumor progression. In this review, we focus on the relationship between ER stress, apoptosis, and autophagy in human breast cancer and the interplay between the activation of UPR and resistance to anticancer therapies with the aim to disclose novel therapeutic scenarios. The hypothesis that autophagy and UPR may provide novel molecular targets in human malignancies is discussed

Comparative Gene Expression Profiling of Tobacco-Associated HPV-Positive versus Negative Oral Squamous Carcinoma Cell Lines

Background: HPV-positive oral squamous cell carcinomas (OSCCs) are specific biological and clinical entities, characterized by a more favorable prognosis compared to HPV-negative OSCCs and occurring generally in non-smoking and non-drinking younger individuals. However, poor information is available on the molecular and the clinical behavior of HPV-positive oral cancers occurring in smoking/drinking subjects. Thus, this study was designed to compare, at molecular level, two OSCC cell lines, both derived from drinking and smoking individuals and differing for presence/absence of HPV infection.Methods: HPV-negative UPCI-SCC-131 and HPV16-positive UPCI-SCC-154 cell lines were compared by whole genome gene expression profiling and subsequently studied for activation of Wnt/beta Catenin signaling pathway by the expression of several Wnt-target genes, PCatenin intracellular localization, stem cell features and miRNA let-7e. Gene expression data were validated in head and neck squamous cell carcinoma (HNSCC) public datasets.Results: Gene expression analysis identified Wnt/beta Catenin pathway as the unique signaling pathway more active in HPV-negative compared to HPV-positive OSCC cells and this observation was confirmed upon evaluation of several Wnt-target genes (i.e., Cyclin D I, Cdh I, Cdkn2a, Cd44, Axing, c-Myc and TcfI). Interestingly, HPV-negative OSCC cells showed higher levels of total beta Catenin and its active form, increase of its nuclear accumulation and more prominent stem cell traits. Furthermore, miRNA let-7e was identified as potential upstream regulator responsible for the downregulation of Wnt/beta Catenin signaling cascade since its silencing in UPCI-SCC-154 cell resulted in upregulation of Wnt-target genes. Finally, the analysis of two independent gene expression public datasets of human HNSCC cell lines and tumors confirmed that Wnt/beta Catenin pathway is more active in HPV-negative compared to HPV-positive tumors derived from individuals with smoking habit.Conclusions: These data suggest that lack of HPV infection is associated with more prominent activation of Wnt/beta Catenin signaling pathway and gain of stem-like traits in tobacco-related OSCCs