Cybersecurity and Quantum Computing: friends or foes?

L'abstract è presente nell'allegato / the abstract is in the attachmen

Using MACsec to protect a Network Functions Virtualisation Infrastructure

IEEE 802.1AE is a standard for Media Access Control security (MACsec), which enables data integrity, authentication, and confidentiality for traffic in a broadcast domain. This protects network communications against attacks at link layer, hence it provides a higher degree of security and flexibility compared to other security protocols, such as IPsec. Softwarised network infrastructures, based on Network Functions Virtualisation (NFV) and Software Defined Networking (SDN), provide higher flexibility than traditional networks. Nonetheless, these networks have a larger attack surface compared to legacy infrastructures based on hardware appliances. In this scenario, communication security is important to ensure that the traffic in a broadcast domain is not intercepted or manipulated. We propose an architecture for centralised management of MACsec-enabled switches in a NFV environment. Moreover, we present a PoC that integrates MACsec in the Open Source MANO NFV framework and we evaluate its performance

Towards an Efficient Management and Orchestration Framework for Virtual Network Security Functions

The recent years have witnessed a growth in the number of users connected to computer networks, due mainly to megatrends such as Internet of Things (IoT), Industry 4.0, and Smart Grids. Simultaneously, service providers started offering vertical services related to a specific business case (e.g., automotive, banking, and e-health) requiring more and more scalability and flexibility for the infrastructures and their management. NFV and SDN technologies are a clear way forward to address these challenges even though they are still in their early stages. Security plays a central role in this scenario, mainly because it must follow the rapid evolution of computer networks and the growing number of devices. The main issue is to protect the end-user from the increasing threats, and for this reason, we propose in this paper a security framework compliant to the Security-as-a-Service paradigm. In order to implement this framework, we leverage NFV and SDN technologies, using a user-centered approach. This allows to customize the security service starting from user preferences. Another goal of our work is to highlight the main relevant challenges encountered in the design and implementation of our solution. In particular, we demonstrate how significant is to choose an efficient way to configure the Virtual Network Security Functions in terms of performance. Furthermore, we also address the nontrivial problem of Service Function Chaining in an NFV MANO platform and we show what are the main challenges with respect to this problem

Integrity Verification of Distributed Nodes in Critical Infrastructures

The accuracy and reliability of time synchronization and distribution are essential requirements for many critical infrastructures, including telecommunication networks, where 5G technologies place increasingly stringent conditions in terms of maintaining highly accurate time. A lack of synchronization between the clocks causes a malfunction of the 5G network, preventing it from providing a high quality of service; this makes the time distribution network a very viable target for attacks. Various solutions have been analyzed to mitigate attacks on the Global Navigation Satellite System (GNSS) radio-frequency spectrum and the Precision Time Protocol (PTP) used for time distribution over the network. This paper highlights the significance of monitoring the integrity of the software and configurations of the infrastructural nodes of a time distribution network. Moreover, this work proposes an attestation scheme, based on the Trusted Computing principles, capable of detecting both software violations on the nodes and hardware attacks aimed at tampering with the configuration of the GNSS receivers. The proposed solution has been implemented and validated on a testbed representing a typical synchronization distribution network. The results, simulating various types of adversaries, emphasize the effectiveness of the proposed approach in a wide range of typical attacks and the certain limitations that need to be addressed to enhance the security of the current GNSS receivers

Virtual Network Function Embedding with Quantum Annealing

In recent years, the growing number of devices connected to the internet led network operators to continuously expand their own infrastructures. In order to simplify this scaling process, the research community is currently investigating the opportunity to move the complexity from a hardware to a software domain, through the introduction of a new paradigm, called Network Functions Virtualisation (NFV). It considers standard hardware platforms where many virtual instances are allocated to implement specific network services. However, despite the theoretical benefits, the mapping of the different virtual instances to the available physical resources represents a complex problem, difficult to be solved classically. The present work proposes a Quadratic Unconstrained Binary Optimisation (QUBO) formulation of this embedding process, exploring the implementation possibilities on D-Wave’s Quantum Annealers. Many test cases, with realistic constraints, have been considered to validate and characterise the potential of the model, and the promising results achieved are discussed throughout the document. The technical discussion is enriched with comparisons of the results obtained through heuristic algorithms, highlighting the strengths and the limitations in the resolution of the QUBO formulation proposed on current quantum machines

A novel architecture to virtualise a hardware-bound trusted platform module

Security and trust are particularly relevant in modern softwarised infrastructures, such as cloud environments, as applications are deployed on platforms owned by third parties, are publicly accessible on the Internet and can share the hardware with other tenants. Traditionally, operating systems and applications have leveraged hardware tamper-proof chips, such as the Trusted Platform Modules (TPMs) to implement security workflows, such as remote attestation, and to protect sensitive data against software attacks. This approach does not easily translate to the cloud environment, wherein the isolation provided by the hypervisor makes it impractical to leverage the hardware root of trust in the virtual domains. Moreover, the scalability needs of the cloud often collide with the scarce hardware resources and inherent limitations of TPMs. For this reason, existing implementations of virtual TPMs (vTPMs) are based on TPM emulators. Although more flexible and scalable, this approach is less secure. In fact, each vTPM is vulnerable to software attacks both at the virtualised and hypervisor levels. In this work, we propose a novel design for vTPMs that provides a binding to an underlying physical TPM; the new design, akin to a virtualisation extension for TPMs, extends the latest TPM 2.0 specification. We minimise the number of required additions to the TPM data structures and commands so that they do not require a new, non-backwards compatible version of the specification. Moreover, we support migration of vTPMs among TPM-equipped hosts, as this is considered a key feature in a highly virtualised environment. Finally, we propose a flexible approach to vTPM object creation that protects vTPM secrets either in hardware or software, depending on the required level of assurance

Toward a Complete Software Stack to Integrate Quantum Key Distribution in a Cloud Environment

The coming advent of Quantum Computing promises to jeopardize current communications security, undermining the effectiveness of traditional public-key based cryptography. Different strategies (Post-Quantum or Quantum Cryptography) have been proposed to address this problem. Many techniques and algorithms based on quantum phenomena have been presented in recent years; the most relevant example is the introduction of Quantum Key Distribution (QKD). This approach allows to exchange cryptographic keys among parties and does not suffer from the development of quantum computation. Problems arise when this technique has to be deployed and combined with modern distributed infrastructures that heavily depend on cloud and virtualisation paradigms. This paper addresses the issue by presenting a new software stack that effortlessly introduces QKD in such environments. This software stack allows for agnostic integration, monitoring, and management of QKD, independent from a specific vendor or technology. Furthermore, a QKD simulator is presented, designed, and tested. This latter contribution is suitable as a low-level testing device, as an independent software module to check QKD protocols, and as a testbed to identify future practical enhancements

PALANTIR: Zero-trust architecture for Managed Security Service Provider

The H2020 PALANTIR project aims at delivering a Security-as-a-Service solution to SMEs and microenterprises via the exploitation of containerised Network Functions. However, these functions are conceived by third-party developers and can also be deployed in untrustworthy virtualisation layers, depending on the subscribed delivery model. Therefore, they cannot be trusted and require a stringent monitoring to ensure their harmlessness, as well as adequate measures to remediate any nefarious activities. This paper justifies, details and evaluates a Zero-Trust architecture supporting PALANTIR’s solution. Specifically, PALANTIR periodically attests the service and infrastructure’s components for signs of compromise by implementing the Trusted Computing paradigm. Verification addresses the firmware, OS and software using UEFI measured boot and Linux Integrity Measurement Architecture, extended to support containerised application attestation. Mitigation actions are supervised by the Recovery Service and the Security Orchestrator based on OSM to, respectively, determine the adequate remediation actions from a recovery policy and enforce them down to the lower layers of the infrastructure through local authenticated enablers. We detail an implementation prototype serving a baseline for quantitative evaluation of our work

PALANTIR demo: leveraging SecaaS model for managing threats in industrial environments

PALANTIR, an EU-funded Innovation Action project, delivers tailored and pervasive resource protection through the Security-as-a-Service paradigm. This demo presents the architecture and validates the prototype against three threat scenarios with botnet, data breach and tampering attacks

Quantum Key Distribution in Kubernetes Clusters

Quantum Key Distribution (QKD) represents a reasonable countermeasure to the advent of Quantum Computing and its impact on current public-key cryptography. So far, considerable efforts have been devoted to investigate possible application scenarios for QKD in several domains such as Cloud Computing and NFV. This paper extends a previous work whose main objective was to propose a new software stack, the Quantum Software Stack (QSS), to integrate QKD into software-defined infrastructures. The contribution of this paper is twofold: enhancing the previous work adding functionalities to the first version of the QSS, and presenting a practical integration of the QSS in Kubernetes, which is the de-facto standard for container orchestration