Secure Identity Best Practice
- TYPE: Combined Session DATE: Wednesday, May 15, 2019 TIME: 14:30-15:30 LOCATION: CHIEMSEE
Rethinking Trust in Cloud Platforms: Secure and Trusted Out-Of-Band Data Acquisition
The complexity and sophistication of modern malware are evolving rapidly. Malwares today are able to exploit both hardware and software to infiltrate systems and tamper with data used for management. The revelation of several attacks on host machines, highlights that anything with shared resources can be attacked.
In cloud environment, data management is done by a centralised server that maintains the state of each platform. However, this is not an easy task when a machine is compromised. When the data acquisition software runs in the same domain as the malware, there is no guarantee that this data will not be tampered with. In particular, malware behaves different to when an observer-effect is detected. There is a visibility problem of how to securely acquire reliable data and infer the state of the system without leaving an observer effect? There is a need to rethink how to decentralise trust in complex platforms such as the cloud and use trusted method to prevent tampering with the data acquired for management. We solve the trust and visibility problem by acquiring physical memory out-of-band using a device from a new category of commercial-hardware (SmartNICs). Using this separate trust domain, we protect from tampering with the data being acquired.
To that end we have developed an abstraction software that facilitates acquisition of segments from the physical memory. More importantly without the knowledge of host software (e.g. malware) of when segments of the physical memory are being acquired. An added benefit of our approach is the fact that SmartNICs are on the edge of the network, which makes this technology capable of doing more than just detection but also prevention. For instance, blocking the network when signs of compromise are detected.
- In a cloud platform, the main execution domain (CPU) has a large attacks vector and there is a need for separate trust domains to guarantee the integrity of sensitive application such as application managing the infrastructure.
- Using Out-of-band hardware mitigates the shortcomings associated with current methods to acquire data for management and limit malware ability to manipulate the data.
- Isolating the data acquisition function using out-of-band hardware allows for dedicating the entire compute resources to users. With the increase of the I/O rate of operation (e.g. PCIe) this method is able to cope with the rapid changes happening in cloud machines, and scale in managing several virtual machines in one server.
- Registration fee:
- Contact person:
Mr. Levent Kara
+49 211 23707710
- May 14 - 17, 2019 Munich, Germany