Tag Archives: attack

Embedded Virtualization Can Secure Industrial Networks

Leave a reply

Security issues in industrial markets have been receiving much attention in the media. The vast majority of devices that power infrastructures offer aging technology in many cases and are not well prepared for the latest cyber security threats.

Taking the energy grid as an example: one does not have to be a scientist to find the holes when approximately 70% of the infrastructure is more than 30 years old.

Devices that were never designed for a connected world in the first place are wide open for attacks. Utility providers and the dominating players that power this market are under intense pressure; critical infrastructure is supposed to be stable, robust and often certified for functional safety requirements.

While safety systems are left untouched following certification for risk, complexity and cost reasons, a secure system is only secure if it is able to withstand the latest vulnerabilities. The contradiction between the lifecycle of safety and security is a very expensive challenge today. However, the good news is that embedded virtualization can alleviate these security challenges.

To provide a solution that can be retrofitted to an existing infrastructure, new security devices are often integrated with existing devices. Firewalls, IPS, IDS or other boxes add to the CAPEX cost, but also increase the complexity of the supply chain management for installations that have may have a lifecycle of 25 years or more.

New systems are designed with both safety and security in mind. Functions that would be in separate boxes in the existing infrastructure can be consolidated to reduce the CAPEX burden and avoid even greater costs in supply chain management.

This idea is not new: consolidating workload into more intelligent systems by leveraging improved hardware architectures that support virtualization creates a significant opportunity to meet today’s architectural challenges.

One proven approach to security is to keep devices that need to be secure away from general access: for example, physically or virtually separated from networks such as the Internet.

The implication of this approach is that physically separate devices and networks need to be built for secure versus insecure devices. In general, this is impractical because of the expense and redundancy involved. A more cost-effective solution is to leverage embedded virtualization.

Virtualization for embedded systems that operates at the processor and board level is called a hypervisor. A hypervisor allows several virtual systems to run on a single piece of hardware efficiently. Hypervisors can be used to consolidate several systems into one, saving material costs; reducing size, weight and power; and reducing supply chain costs and complexity. Virtualization with a hypervisor can also allow developers to partition a system for functional, security and safety reasons.

Virtualization technology can also provide an OS-agnostic, safe and secure partitioning layer. This addresses a key concern of the market today: ensuring that different services on a device do not impact each other for security and safety.

This ability to securely combine different partitions not only reduces the development costs, but also the operating and capital costs. Using fewer chips and boards reduces the capital cost of the product.

OPEX is also reduced with less inventory and spares and a simpler process for upgrading hardware and software. Now, any new patches or updates to parts of the system software will not affect the real-time operation of the system, nor require lengthy testing and re-certification.

The move to virtualization extends the lifecycle of embedded products. Existing code can run on its own secure partition running an RTOS while new features can be added to the non-real-time partition running an OS such as Linux or Microsoft Windows for the user interface.

To implement this efficiently, virtualization uses hardware enhancements specific to a CPU architecture, enabling all the advantages with minimal impact on performance and latency, especially for the hardware-assisted isolation between partitions.

This strategy greatly extends the life of an embedded product without the expense of having to rewrite real-time embedded code, add and re-certify drivers or redesign hardware. This is a particular issue for systems that combine real-time capability and user interface in one operating system – when there are patches or updates to the OS, the whole design has to be re-tested and possibly re-certified to ensure there is no impact on the real-time operation.

The influence of machine-to-machine (M2M) networks is growing and many devices now need additional gateways, firewalls and other communication functions. Virtualization is an excellent way of adding these to the system through the non-real time operating system without having to change and re-certify the real-time elements of the software or change the hardware.

One proposed architecture that is fast gaining ground is to provide more localized and connected processing power close to where it is needed, often as a gateway to the wider Internet. Local traffic can be processed quickly and acted on, while the data is still available to the wider systems across the Internet, whether it is a train, a manufacturing floor or a power plant. This approach provides the ability to consolidate a number of functions from communications to data processing. This is costly and complex when implemented in separate boxes. The ability to consolidate a wide range of functions reliably and securely into an intelligent single unit is more cost effective and becoming increasingly popular.

This trend has implications for security. Consolidating workloads in a single device means communications are linked to real-time operations and the flow of data. This means there is a need to keep certain functions highly separated.

Safety-critical code must be protected and unchanged to retain its certification, and yet the security that protects the system has to be updated regularly to defend against ever changing attacks. At the same time, there are communications protocols and data capture in the system that need real-time performance alongside human interfaces that can be run at slower speeds.

All of this provides a potentially highly complex environment. The traditional approach has been to have separate devices for each of these functions, such as the communications and real-time elements.

However, security needs to be deeply embedded within the system to provide maximum protection; and physical separation leads to a number of architectural challenges that can be expensive to solve.

Virtualization has already opened up a wide range of new applications in IT, but the ability to provide true real-time performance alongside a mainstream OS opens up yet more embedded opportunities in new and existing markets.

Smart-grid networks, manufacturing systems, and transportation are all set to benefit from the consolidation of workloads and the separation of communication and security functions on to a single core. This allows cost-effective development of secure, reliable and future-proof embedded systems. Running the same operating systems on both a single- and multi-core device opens up a platform of equipment that can scale from a single core to many, all with the same software base.

Consolidation of workloads also has a significant effect on the capital and operational expenditures. Building a single unit with a single board rather than multiple units with multiple boards reduces the upfront costs. Millions of M2M devices are being rolled out, connected to hundreds of thousands of gateway units, so this is a significant saving in the upfront cost.

Decoupling the software lifecycle of different elements and still being able to use a single device can reduce expenses. All of this can provide dramatic savings in development time and equipment cost, allowing more processing performance to sit closer to where it is needed in the network and support lower cost sensors and terminals in the home or on the factory floor.

Author: Alexander Damisch
Source

Enhanced Security For Sensitive Cloud Computing Data

Leave a reply

Researchers from North Carolina State University and IBM have developed a new, experimental technique to better protect sensitive information in cloud computing – without significantly affecting the system’s overall performance.

Under the cloud-computing paradigm, the computational power and storage of multiple computers is pooled, and can be shared by multiple users. Hypervisors are programs that create the virtual workspace that allows different operating systems to run in isolation from one another – even though each of these systems is using computing power and storage capability on the same computer. A longstanding concern in cloud computing is that attackers could take advantage of vulnerabilities in a hypervisor to steal or corrupt confidential data from other users in the cloud.

The NC State research team has developed a new approach to cloud security, which builds upon existing hardware and firmware functionality to isolate sensitive information and workload from the rest of the functions performed by a hypervisor. The new technique, called “Strongly Isolated Computing Environment” (SICE), demonstrates the introduction of a different layer of protection.

“We have significantly reduced the ‘surface’ that can be attacked by malicious software,” says Dr. Peng Ning, a professor of computer science at NC State and co-author of a paper describing the research. “For example, our approach relies on a software foundation called the Trusted Computing Base, or TCB, that has approximately 300 lines of code, meaning that only these 300 lines of code need to be trusted in order to ensure the isolation offered by our approach. Previous techniques have exposed thousands of lines of code to potential attacks. We have a smaller attack surface to protect.”

SICE also lets programmers dedicate specific cores on widely-available multi-core processors to the sensitive workload – allowing the other cores to perform all other functions normally. A core is the brain of a computer chip, and many computers now use chips that have between two and eight cores. By confining the sensitive workload to one or a few cores with strong isolation, and allowing other functions to operate separately, SICE is able to provide both high assurance for the sensitive workload and efficient resource sharing in a cloud.

In testing, the SICE framework generally took up approximately 3 percent of the system’s performance overhead on multi-core processors for workloads that do not require direct network access. “That is a fairly modest price to pay for the enhanced security,” Ning says. “However, more research is needed to further speed up the workloads that require interactions with the network.”

Source

VoIP Viral Video: VoIP Hacker Attack Visualized

1 Reply

Viruses and computer hacking have become common terms we all hear regularly in news reports and online. And while the concept of a virus is easy to understand, mainly because we are all taught how biological viruses work in our own body, it’s difficult to understand exactly what is going on during an attack inside your PC.

What we need is a realistic visualization of exactly what is happening as an attack happens, and how the security measures put in place try to counter and block those attacks works. Thanks to Ben Reardon of dataviz Australia, that’s exactly what we now have to look at.

The video below is a visual representation of a hack on a Voice over Internet Protocol (VoIP) service. On the left hand side of the video is the server which serves up unprotected accounts represented by the blue data entries that keep appearing. The blue bubbles that fall down the screen represent calls being made. In a system free of hacker activity that’s all the visualization would show, but as is the case with a lot of publicly accessible systems, someone is always trying to find a weakness.

On the right hand side you see red and white bubbles appear. These are malicious scans being carried out on the system trying to locate a pool of information that can be hacked. In this case that would be the blue bubbles, so the security in place needs to stop that happening. The green bubbles are what’s meant to do that and form a honeypot for the hacker’s scans.

As long as those green bubbles keep appearing in enough quantities the hacker’s scan will be blocked from the real data, and therefore the system remains safe. If one gets through it can latch on to a blue bubble and attempt to steal important information such as a password or full login details.

While it may seem like things are under control in the video, imagine dealing with hundreds of attacks a day all trying different techniques to bypass your security and stop the green bubbles from deploying. After watching such an attack in action it’s easy to see how some hacks manage to succeed and breakthrough the defenses.

Source