Protecting e-Government Against AttacksGernot HeiserNICTA and University of New South Wales

©2013 Gernot Heiser, NICTA 2

e-Government Threats

Brussels, Feb'13

governmentserver

citizenterminal

ATTACK

2

©2013 Gernot Heiser, NICTA 3

Application

WebServer Database

Management

Operating System

Hardware

Software Complexity and Attack Surface

10 million lines

10 million lines

1 million lines

1 million lines of software ⇒ 1000s of faults!

In security-critical software, >10% of faults become vulnerabilities

Cri

tic

alBrussels, Feb'133

©2013 Gernot Heiser, NICTA 4

Hardware

Hypervisor

Application

WebServ.

Database

Mgmt

OS

VM1

Application

WebServ.

Database

Mgmt

OS

VM2

Virtualization

Single physical machine

Multiple virtual

machines

Extra software

layer

Advantages:• server

consolidation• reduced

management cost• improved

utilisation• reduced energy

useDisadvantages:• increased attack

surface

Brussels, Feb'134

©2013 Gernot Heiser, NICTA 5

Attack Surface

ComponentTotal size

Critical part

Vulnerabilities

Management 1 MLOC 1 MLOC 100s

Web server, database, application

10 MLOC 1 MLOC 100s

Operating System

10 MLOC 10 MLOC 1000s

Hypervisor 1 MLOC 1 MLOC 100s

Brussels, Feb'13

Cri

tic

al

5

©2013 Gernot Heiser, NICTA 6

Hardware

Hypervisor

CompromisedOS

VM1

TargetOS

VM2

Virtualization Attacks: Server-to-Server

Virtual machines isolated by hypervisor

isolation only as ⇒good as hypervisor

Target may not even

know about co-location!

AttackAtta

ck

Brussels, Feb'136

©2013 Gernot Heiser, NICTA 7

Hardware

Hypervisor

CompromisedOS

VM1

TargetOS

VM2

Virtualization Attacks: Side Channels

Demonstrated theft of encryption keys

Information leakage through hardware/hyper

visor

Without affecting “correct” hypervisor

operation!

Brussels, Feb'137

©2013 Gernot Heiser, NICTA 8

Hardware

Microkernel

Application

WebServ.

Database

Mgmt

OS

VirtualizationFunctionality

VM2

Application

WebServ.

Database

Mgmt

OS

VirtualizationFunctionality

VM1

Decrease Attack Surface: Microkernels

10 MLOC,not

isolation-critical

0.01 MLOC,isolation-

critical

Split hypervisor

functionality

Brussels, Feb'138

©2013 Gernot Heiser, NICTA 9

Microkernels

Track record:• OKL4 microkernel deployed on > 1.5 billion mobile devices• Developed by NICTA, marketed by Open Kernel Labs

Unparalleled security potential:• 10,000 lines minimal vulnerabilities⇒• Small enough to prove absence of faults

Brussels, Feb'13

NICTA’s seL4 microkernel:

First and only operating-system with proof that operation is always according to specification

NICTA’s seL4 microkernel:

First and only operating-system with proof that operation is always according to specification

… and as fast as any microkernel!

9

©2013 Gernot Heiser, NICTA 10

Terminals

Brussels, Feb'13

Bigger challenge than servers• Live in uncontrolled environments• Run large amounts of untrusted software• Large percentage infected by malware• Cannot be trusted to keep secrets!

10

©2013 Gernot Heiser, NICTA 11

Hardware

Hypervisor

Apps

OS

VM1

Secure App

Mini OS

VM2

Protecting Terminals – With Virtualization!

Standard smartphone OS + apps

Minimal secure environment, protected by hypervsior

Data encrypted and securely sent through standard

environment

Brussels, Feb'1311

©2013 Gernot Heiser, NICTA 12

Recommendations

1. Require provably secure virtualization technology (after transition period)– provide incentive to industry for delivering secure products

2. Fund development of open-source provably secure virtualization technology (equivalent to seL4)– avoid private monopoly for critical infrastructure

3. Require certified secure communication functionality on terminals accessing e-government services (after transition period)– provide incentive to industry for delivering secure products

Brussels, Feb'1312