Software Hardening & FIPS 140 Eugen Bacic & Gary Maxwell September 27th, 2005.

Slides:

Advertisements

Similar presentations

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Advertisements

1 SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of.

Cloakware Corporation, 260 Hearst Way, Suite 311, Kanata, Ontario, Canada K2L 3H1 Spencer Cheng Trusting DRM Software Presentation.

Larry Wagner Sr. Director of Engineering

Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.

CS 411W - Notes Product Development Documentation.

1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.

Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Chapter 1 Software Development. Copyright © 2005 Pearson Addison-Wesley. All rights reserved. 1-2 Chapter Objectives Discuss the goals of software development.

University of Kansas Construction & Integration of Distributed Systems Jerry James Oct. 30, 2000.

1 Software Engineering II Presentation Software Maintenance.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Notion of a Project Notes from OOSE Slides - modified.

Applied Cryptography for Network Security

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Software Engineering Module 1 -Components Teaching unit 3 – Advanced development Ernesto Damiani Free University of Bozen-Bolzano Lesson 1 – Component-Based.

SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.

Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

1 FIPS 140 Validation for a “System-on-a-Chip” September 27, 2005 NIST Physical Testing Workshop.

Cryptography and Network Security

Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.

Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

CSC-115 Introduction to Computer Programming

Combining Cryptographic Primitives to Prevent Jamming Attacks in Wireless Networks.

LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.

FIPS Status and Schedules Allen Roginsky CMVP NIST September 28, 2005.

Applying White-Box Cryptography SoBeNet user group meeting October 8, 2004 Brecht Wyseur.

Software Development Cycle What is Software? Instructions (computer programs) that when executed provide desired function and performance Data structures.

Middleware for FIs Apeego House 4B, Tardeo Rd. Mumbai Tel: Fax:

Survival by Defense- Enabling Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003)

Cryptography and Network Security (CS435) Part One (Introduction)

1 Diversifying Sensors to Improve Network Resilience Wenliang (Kevin) Du Electrical Engineering & Computer Science Syracuse University.

© 2006 ITT Educational Services Inc. SE350 System Analysis for Software Engineers: Unit 10 Slide 1 Chapter 13 Finalizing Design Specifications.

Net Optics Confidential and Proprietary 1 Bypass Switches Intelligent Access and Monitoring Architecture Solutions.

Configuration Management and Change Control Change is inevitable! So it has to be planned for and managed.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Presented by Teererai Marange. According to Caliskan-Islam et al.(2015), authorship attribution using the Code Stylometry feature set is possible when.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

LESSON 3. Properties of Well-Engineered Software The attributes or properties of a software product are characteristics displayed by the product once.

Chapter 6 CASE Tools Software Engineering Chapter 6-- CASE TOOLS

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

SoftwareServant Pty Ltd 2009 SoftwareServant ® Using the Specification-Only Method.

TRUSTED FLOW: Why, How and Where??? Moti Yung Columbia University.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

Improving System Availability in Distributed Environments Sam Malek with Marija Mikic-Rakic Nels.

Chapter 8-1 Chapter 8 Accounting Information Systems Information Technology Auditing Dr. Hisham madi.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

CS223: Software Engineering Lecture 32: Software Maintenance.

Software Security Seminar - 1 Chapter 10. Using Algorithms 발표자 : 이장원 Applied Cryptography.

Certified Ethical Hacker v8 Question Answer Eccouncil v8.

Software Design and Architecture

Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 1: Why Study Information Security?

1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.

Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.

Why is Design so Difficult? Analysis: Focuses on the application domain Design: Focuses on the solution domain –The solution domain is changing very rapidly.

Virtualization Neependra Khare

An assessment framework for Intrusion Prevention System (IPS)

FORMAL SYSTEM DEVELOPMENT METHODOLOGIES

TRUST:Team for Research in Ubiquitous Secure Technologies

Un</br>able’s MySecretSecrets

Presentation transcript:

Software Hardening & FIPS 140 Eugen Bacic & Gary Maxwell September 27th, 2005

Software vs. Hardware Software is preferable to hardware due to cost & flexibility Plus: Ease of deployment Ease of upgrade Diversity Generality Malleability

Barriers to Software Solutions Environment Crypto Culture Attacker Expertise Hardware good, software bad: Tampering is more difficult to hide with hardware Harder to “turn” hardware away from its intended purpose Reliability & redundancy Cracker sophistication needs to be higher Independent of host applications Cracker opportunities typically require physical access

Meeting FIPS 140 Level 3 Cryptographic module ports and interfaces Notion of a “data port” nebulous in software Interfaces may be viable points (i.e., APIs) Can be expected of “good programming practices” Roles, Services, & Authentication Identity-based operator authentication Two factor authentication should suffice Software module should be self-authenticating as well Design Assurance High-level language implementation is standard software practice

Meeting FIPS 140 Level 3 Physical Security Parts are hardware specific Anti-debug technologies would need to be deployed Obfuscation can meet many of the requirements Some are too hardware specific and would have to be ignored Must remember that there are a lot of reverse engineering tools, and so must ensure software crypto solutions are adequately prepared Tamper detection hard when software can easily be replicated OS-level and OS-hardware interaction can help alleviate above

Meeting FIPS 140 Level 3 Operational Environment EAL3 requirement Can be met with EAL3 operating systems Cryptographic Key Management White-box cryptography resolves this issue EMI/EMC Software can manipulate EMI/EMC signals However, the bandwidth may be too low to provide sufficient attack significance Furthermore, white-box cryptography with its use of consistent lookup tables should aid in resisting timing attacks

Circumvention Research Interesting research coming out of Canada Wurster’s Generic Attack Hyper-Threading Vulnerability Similarities in that unprivileged users can modify the execution stream of certain popular processors without detection: Difficult to detect attack code Feasible even where emulator-based attacks fail Attack code is generic and not program dependent Further research necessary to determine the true threats posed At present it seems there are no viable solutions to the above threats

Conclusion Notwithstanding current circumvention research, efforts must be made in examining viable software crypto standards Obfuscation and other tamper resistant techniques should be examined Research must be pursued that accurately defines: What is necessary for Level 3 software crypto Adequate tests for Level 3 crypto Impact of software crypto on the industry

Thank You! Eugen Bacic Chief Scientist Cinnabar Networks Inc.