Presentation is loading. Please wait.

Presentation is loading. Please wait.

Self-Securing Devices: Better Security via Smarter Devices Greg Ganger Director, Parallel Data Lab.

Published byLaurel Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "Self-Securing Devices: Better Security via Smarter Devices Greg Ganger Director, Parallel Data Lab."— Presentation transcript:

1 Self-Securing Devices: Better Security via Smarter Devices Greg Ganger Director, Parallel Data Lab

2 Greg Ganger November 2001http://www.pdl.cmu.edu/2 Motivation: Intrusion Survival Intrusions are a fact of modern computing E-mail worms, virus-infected software, crackers, … Never going to have rock-solid kernels or firewalls Dilemma: all hope placed in perimeter defense Difficult to defend fully Difficult to recover from breaches Difficulties scale with amount of stuff protected Better approach: many independent perimeters

3 Greg Ganger November 2001http://www.pdl.cmu.edu/3 Some components of a computer system Kernel Programs Main Memory NIC Network SIC Disks Graphics Card Video Capture

4 Greg Ganger November 2001http://www.pdl.cmu.edu/4 Today’s security perimeter Kernel Programs Main Memory NIC Network SIC Disks Graphics Card Video Capture

5 Greg Ganger November 2001http://www.pdl.cmu.edu/5 What makes the current model so bad? Large, singular borders must support many needs code too complex to get perfect system too complex to administer perfectly Successful intruder controls all resources no observations or state remain trustable no foothold for detection, diagnosis, or recovery Central security checks don’t scale result: trade-off between security and performance

6 Greg Ganger November 2001http://www.pdl.cmu.edu/6 Today’s security perimeter Kernel Programs Main Memory NIC Network SIC Disks Graphics Card Video Capture

7 Greg Ganger November 2001http://www.pdl.cmu.edu/7 Lots of distinct “computers” in this system SCSI cards Video cards Network cards … and disks too

8 Greg Ganger November 2001http://www.pdl.cmu.edu/8 More good places for security perimeters Kernel Programs Main Memory NIC Network SIC Disks Graphics Card Video Capture

9 Greg Ganger November 2001http://www.pdl.cmu.edu/9 What makes self-securing devices better? Many additional perimeters each is easier to harden (small, specialized) each is very different from others (heterogeneous) Successful intruder controls fewer resources many observations in system remain trustable many footholds for detection, diagnosis, or recovery Decentralized security checks do scale can be more aggressive in what checked when

10 Greg Ganger November 2001http://www.pdl.cmu.edu/10 Example: self-securing storage devices Protect stored data and audit storage accesses even if OS is compromised Can save and observe anything inside device retain all versions of all data collect audit log of all requests What self-securing storage enables storage-based intrusion detection faster, better recovery informed analysis of security compromises

11 Greg Ganger November 2001http://www.pdl.cmu.edu/11 Example: self-securing NICs Protect each side from the other especially when “the other” is not acting nice… Can observe, filter, modify communications Incoming: firewall, proxy, NAT, etc… Outgoing: throttle misbehaving system, tag traffic, … What self-securing NICs enable distributed, coordinated traffic analysis including insiders and more detailed checks rapid deployment of new policies dynamic response to attacks, worms, and partial compromises

12 Greg Ganger November 2001http://www.pdl.cmu.edu/12 Summary: device-embedded security Self-securing devices are an opportunity creates more and independent perimeters separate hardware+software gives strong base PDL is developing this new paradigm exploring what can be done behind each perimeter … and the associated hardware requirements developing tools for coordinating dynamic action automating detection, containment, diagnosis, recovery developing tools for administering devices

13 For more information: http://www.pdl.cmu.edu/ Greg.Ganger@cmu.edu Director, Parallel Data Lab

Download ppt "Self-Securing Devices: Better Security via Smarter Devices Greg Ganger Director, Parallel Data Lab."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
What is Infrastructure Optimisation and Why should you care?

What is Infrastructure Optimisation and Why should you care?
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
PASIS: Perpetually Available and Secure Information Systems Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu,

PASIS: Perpetually Available and Secure Information Systems Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu,
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Operating Systems CS208. What is Operating System? It is a program. It is the first piece of software to run after the system boots. It coordinates the.

Operating Systems CS208. What is Operating System? It is a program. It is the first piece of software to run after the system boots. It coordinates the.
Network security Process in which digital information are protected.

Network security Process in which digital information are protected.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Similar presentations

Ads by Google