protecting e -government against attacks gernot heiser nicta and university of new south wales
DESCRIPTION
Protecting e -Government Against Attacks Gernot Heiser NICTA and University of New South Wales. e-Government Threats. ATTACK. government server. citizen terminal. Software Complexity and Attack Surface. 1 million lines. 1 million lines of software ⇒ 1000s of faults!. Application. - PowerPoint PPT PresentationTRANSCRIPT
Protecting e-Government Against AttacksGernot HeiserNICTA and University of New South Wales
©2013 Gernot Heiser, NICTA 2
e-Government Threats
Brussels, Feb'13
governmentserver
citizenterminal
ATTACK
2
©2013 Gernot Heiser, NICTA 3
Application
WebServer Database
Management
Operating System
Hardware
Software Complexity and Attack Surface
10 million lines
10 million lines
1 million lines
1 million lines of software ⇒ 1000s of faults!
In security-critical software, >10% of faults become vulnerabilities
Crit
ical
Brussels, Feb'133
©2013 Gernot Heiser, NICTA 4
Hardware
Hypervisor
Application
WebServ.
Database
Mgmt
OS
VM1
Application
WebServ.
Database
Mgmt
OS
VM2
Virtualization
Single physical machine
Multiple virtual
machines
Extra software
layer
Advantages:• server
consolidation• reduced
management cost• improved
utilisation• reduced energy
useDisadvantages:• increased attack
surface
Brussels, Feb'134
©2013 Gernot Heiser, NICTA 5
Attack Surface
Component Total size
Critical part
Vulnerabilities
Management 1 MLOC 1 MLOC 100s
Web server, database, application
10 MLOC 1 MLOC 100s
Operating System 10 MLOC 10 MLOC 1000s
Hypervisor 1 MLOC 1 MLOC 100s
Brussels, Feb'13
Crit
ical
5
©2013 Gernot Heiser, NICTA 6
Hardware
Hypervisor
CompromisedOS
VM1
TargetOS
VM2
Virtualization Attacks: Server-to-Server
Virtual machines isolated by hypervisor
isolation only as ⇒good as hypervisor
Target may not even
know about co-location!
Attack Attack
Brussels, Feb'136
©2013 Gernot Heiser, NICTA 7
Hardware
Hypervisor
CompromisedOS
VM1
TargetOS
VM2
Virtualization Attacks: Side Channels
Demonstrated theft of encryption keys
Information leakage through hardware/hyper
visor
Without affecting “correct” hypervisor
operation!
Brussels, Feb'137
©2013 Gernot Heiser, NICTA 8
Hardware
Microkernel
Application
WebServ.
Database
Mgmt
OS
VirtualizationFunctionality
VM2
Application
WebServ.
Database
Mgmt
OS
VirtualizationFunctionality
VM1
Decrease Attack Surface: Microkernels
10 MLOC,not
isolation-critical
0.01 MLOC,isolation-
critical
Split hypervisor
functionality
Brussels, Feb'138
©2013 Gernot Heiser, NICTA 9
Microkernels
Track record:• OKL4 microkernel deployed on > 1.5 billion mobile devices• Developed by NICTA, marketed by Open Kernel Labs
Unparalleled security potential:• 10,000 lines minimal vulnerabilities⇒• Small enough to prove absence of faults
Brussels, Feb'13
NICTA’s seL4 microkernel:
First and only operating-system with proof that operation is always according to specification
NICTA’s seL4 microkernel:
First and only operating-system with proof that operation is always according to specification
… and as fast as any microkernel!
9
©2013 Gernot Heiser, NICTA 10
Terminals
Brussels, Feb'13
Bigger challenge than servers• Live in uncontrolled environments• Run large amounts of untrusted software• Large percentage infected by malware• Cannot be trusted to keep secrets!
10
©2013 Gernot Heiser, NICTA 11
Hardware
Hypervisor
Apps
OS
VM1
Secure App
Mini OS
VM2
Protecting Terminals – With Virtualization!
Standard smartphone OS + apps
Minimal secure environment, protected by hypervsior
Data encrypted and securely sent through standard
environment
Brussels, Feb'1311
©2013 Gernot Heiser, NICTA 12
Recommendations
1. Require provably secure virtualization technology (after transition period)– provide incentive to industry for delivering secure products
2. Fund development of open-source provably secure virtualization technology (equivalent to seL4)– avoid private monopoly for critical infrastructure
3. Require certified secure communication functionality on terminals accessing e-government services (after transition period)– provide incentive to industry for delivering secure products
Brussels, Feb'1312