Grand Research Challenges for

Cybersecurity of Critical Information and Infrastructures

Paulo Esteves-VeríssimoUniv. of Luxembourg, FSTC / SnT

paulo.verissimo@uni.lu http://staff.uni.lu/paulo.verissimo

CritiX Lab (Critical and Extreme Security and Dependability)

Distinguished Lectures Series in Cybersecurity, TU Darmstadt, Darmstadt,

May 2018 .

Grand Research Challenges for

Cybersecurity of Critical Information and Infrastructures

Paulo Esteves-VeríssimoUniv. of Luxembourg, FSTC / SnT

paulo.verissimo@uni.lu http://staff.uni.lu/paulo.verissimo

CritiX Lab (Critical and Extreme Security and Dependability)

Science of Security Speaker Series, Information Trust Institute, U. Illinois

Urbana/ Champaign, April 2017 .

The world is becoming an immense(interconnected) infrastructure

ISP

ISP

CLOUD COMPUTING AND

COMMUNICATIONS

Internet minute

www.intel.com/.../internet-minute-infographic.html

CritiXresearch

vision

People

Type theory, Programming languages, Proof assistants, Distributed computing

Dr. Vincent Rahli (FR)

Prof. Paulo Esteves-Veríssimo (PT)

Secure and dependable distributed architectures, middleware and algorithms

Dr. Jérémie Decouchant (FR)Distributed systems' performance and fault tolerance, privacy and security, multicore systems, peer-to-peer protocols

Admin. assistant

Natalie Kirf (DE)

Dr. Marcus Völp (DE)Microkernel and microhypervisorOS-level protection, CPS, RTES

Dr. Jiangshan Yu (CN)Design and analysis of crypto protocols, Secure authentication, Post compromise security, Public-ledger applications

Dr. David Kozhaya (LB)Reliable and real-time distributed computing, fault-tolerance in distributed control systems (SCADA/ DCS)

- Critical and Extreme Security and Dependability Research LabResearch enablers for the next generation of protection

• Critical Security and Dependability: – information and infrastructures under advanced

persistent threats• Extreme Computing:

– CSE pushed to the extremes of functional and non-functional properties

• Architecting and designing for resilience: – accidental and malicious faults; protection in an

incremental way; automatic adaptation

Software Defined Networking (SDN)the other face of the problem• ironically, causes of concern lie in SDN's main benefits:

– network programmability and control logic centralization– smaller diversity – new threats that did not exist before or were harder to exploit

[Kreutz et al., ACM HotSDN’13]

Networked Control Systems: no longer closed, proprietary, or dumb

RVRAVR

Feedback Control

FIREWALL Protection

Device

Generator

[Bessani et al., IEEE Sec&Priv Mag.’08]

Chart1

Category 1

Category 2

Category 3

Category 4

Category 5

Category 6

Category 7

Category 8

Category 9

Category 10

Category 11

Category 12

Category 13

Category 14

Category 15

Category 16

Category 17

Category 18

Category 19

Category 20

Category 21

Category 22

Category 23

Category 24

Category 25

Series 1

1.1

1

1.1

1

1.1

1

1.1

0.9

1

1.1

1

2

0.9

1.1

1

0.8

1.2

0.9

1

1.1

1

0.9

1

0.9

1

Sheet1

Series 1

Category 11.1

Category 21

Category 31.1

Category 41

Category 51.1

Category 61

Category 71.1

Category 80.9

Category 91

Category 101.1

Category 111

Category 122

Category 130.9

Category 141.1

Category 151

Category 160.8

Category 171.2

Category 180.9

Category 191

Category 201.1

Category 211

Category 220.9

Category 231

Category 240.9

Category 251

X-by-wire Networked Vehicles: no longer mechanical and isolated

[Lima et al., ACM CPS-SP@CCS’16]

The safety-security gap in vehicle ecosystems

Towards Safe and Secure Autonomous and Cooperative Vehicle Ecosystems. Lima, A; Rocha, F; Volp, M; Verissimo, P. in Proc’s 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (2016, October) @CCS, Vienna-Austria

Autonomous vehicle ecosystem threat plane

Genomics and Biomedical vs. Big Data

• Next Generation Sequencing dramatically decreased sequencing price

• Amount of data handled will scale up.

• Cloud and big data analytics onto the agenda

Big DataBiomedical

[Verissimo et al., IEEE Sec&Priv Mag.’13]

Privacy- and integrity-preserving data processingThe e-biobanking vision

Alysson Bessani et al., BiobankCloud: a Platform for the Secure Storage, Sharing, and Processing of Large Biomedical Data Sets”, in Proc’s of the 1st Int. Workshop on Data Mgt. and Analytics for Medicine and Healthcare (DMAH 2015), Hawaii, US, Sept. 2015.

http://www.navigators.di.fc.ul.pt/wiki/Publication:Bessani2015biobankcloud-platform

Privacy-preserving (really) distributed DNA alignment!

DNA workflows in an e-biobankingecosystem

19

• Classical DNA workflow does not fit the e-biobanking vision, where data are:• generated and stored in multiple locations• accessible from different locations• processed in distributed way

• (any) DNA workflows must guarantee that DNA data must be protected, with incremental levels according to need, upon:• storage,• computation, • publishing, sharing

Blockchain

• A distributed ledger• Everyone can R/W

• Features (desired…):– Secure: non-changeable history– Available: no single point of failure– Resilient: fault and intrusion tolerant– Transparent: everyone can read– TTP free: no centralised entity to

operate or maintain the ledger.Image source: https://www.catalysts.cc/wp-content/uploads/2017/02/dreamstime_m_83584594.jpg

Blockchain for FinTech and Crypto-currency: challenges• Scalability:

– Currently, the number of records/transactions per second is limited. To makeblockchain useful in financial applications, it is crucial to solve this challenge.

• Security:– Blockchain is vulnerable to attacks such as double spending, selfish mining,

renting, some of which consequence of ambiguous model definitions. We need a more robust and resilient system for critical financial applications.

• Privacy:– Currently, anyone can read the transparent ledger, how to provide user privacy

but still preserve transparency is a key challenge.• Consensus:

– A client can never be guaranteed that a record/transaction is included in theblockchain. Important to provide fast, deterministic, and verifiable guarantees.

Meeting the Challenges ofCritical Dependability and SecurityPEARL project IIS&D - Information Infrastructure Security and DependabilityValue proposal:

CPS infrastruct. and control

Internet and cloud

infrastruct.

Sec&Depof

embedded compon.

Highly sensitive

data privacy and

integrity

Architecting and designing for resilience

• comprehensive approach to those threats,from first principles: “build defence in”

• simultaneously coping with accidental and malicious faults

• provide protection in an incremental way,not all threats are extreme, or all systems critical

• automatically adapt to a dynamic range of severity of threats

• seek unattended and perpetual operation

Is resilience really necessary?

Conventional Software Vulnerabilitiesever increasing

Number of new vulnerabilitiesper year

(Sources: IBM xForce, Symantec, Telexa)

Cyberspace today

• immense, interconnected, interdependent infrastructure

• exposure: pressure to be “on-line”• steadily increasing software

vulnerabilities

• powerful adversary actors and sophisticated exploit tools

• Elevated risk in all cyber components

(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)

High

Low

1980 1985 1990 1995 2000

password guessingself-replicating code

password crackingexploiting known vulnerabilit ies

disabling auditsback doors

hijacking sessions

sweeperssniffers

packet spoofing

GUIautomated probes/ scans

denial of service

www attacks

Attacks

Attackers“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

DDOS attacks

20xx…

Bot Nets

Embedded malicious

code

Required Attacker expertise

AvailableAttack sophistication

TARGETED ATTACKS a.k.a.

ADVANCED PERSISTENT

THREATS

Attack sophistication vs. attacker expertise

Tailored Subversion and Intrusion

A world full of threats?

• targeted attacks and advancedpersistent threats, by nation-stateactors and other powerful agents

• weakening and subversion of comms and computing services

• threats to privacy: mass surveillanceand data collection

• sophisticated automated cyber weapons

• organised crime

Designing and architecting for resilience1. we want systems to operate

through faults and attacks in a seamless manner, in an automatic way

2. we want systems to endure the fact that operating conditions and environments are everyday more uncertain and/or hostile

3. we want systems to be deployed in unattended manner

4. we want systems to attain veryhigh levels of assurance

Preventing and Tolerating Faults and Intrusions

Handling Incremental Threat Severity

Resisting Continued Threats

Validating and Assessing Assumptions and Mechanisms

P Verissimo, M Correia, N Neves, P Sousa, “Intrusion-Resilient Middleware Design and Validation”, in Information Assurance, Security and Privacy Services. Emerald Group Publishing Limited, May 2009, vol. 4.

P Verissimo, N Neves, M Correia, “Intrusion-Tolerant Architectures: Concepts and Design”, in Architecting Dependable Systems, ser. LNCS. Springer-Verlag, Jun. 2003, vol. 2677. Ext. vers. in http://hdl.handle.net/10451/14253

http://www.navigators.di.fc.ul.pt/wiki/Publication:Verissimo09hishttp://www.navigators.di.fc.ul.pt/wiki/Publication:Paulo-verissimo2003intrusion-tolerant-architectures-123http://hdl.handle.net/10451/14253

Designing dependable and secure systems:a brief history

Host A

Designing dependable and secure systemsthe zero-defect goal

Host B

Host C

Host D

Host AHost A

Designing dependable and secure systemszero-defect goal considered infeasible:

NOTES:(i) there will always be vulnerabilities in a fully-fledged system

Host AHost A

Designing dependable and secure systemsreality in real-world systems

Host A

Host BHost C

Host D

NOTES:(i) there will be quite a few vulnerabilities in a real-world system

Attack-Vulnerability-Intrusion composite fault model

NOTES:(i) This model, introduced in the MAFTIA project, will help analyze the situation(ii) state includes data, code, metadata, configuration variables, etc.(iii) “failure” means failure of any security property, when and if perceived by a user 38

AVI fault model: attack + vulnerability→ intrusion → error → failure

Intruder/Designer/Operator

vulnerability(fault)

Intruderattack(fault)

intrusion (fault)

error failure

(ii) state is erroneous

(iii) failure will ensue sooner or

later

[Verissimo et al., IEEE Sec&Priv Mag.’06]

(i) Composite fault: v+a

Classical security: Intrusion prevention

Intruderattack(fault)

intrusion (fault)

error failure

attack prevention

vulnerabilityprevention

intrusion prevention

vulnerabilityremoval

Intruder/Designer/Operator

vulnerability(fault)

Intrusion prevention!

Designing dependable and secure systemsreality in real-world systems – optimistic view

Host A

Host B

Host C

Host D

Host AHost AHost A

Host B

Host C

Host D

Host AHost A

Designing dependable and secure systemsreality in real-world systems – optimistic view

Host A

Host B

Host C

Host D

Host A

Host B

Host C

Host D

Host AHost A

Designing dependable and secure systemszero attack-vulnerability-match goal

Host A

Host B

Host C

Host D

Host A

Host B

Host C

Host D

NOTES:(i) Individual vulnerabilities and attacks exist, we try to prevent their successful matches

Classical security: Intrusion prevention

vulnerabilityremoval

Intruder/Designer/Operator

vulnerability(fault)

Intruderattack(fault)

attack prevention

vulnerabilityprevention

intrusion prevention

Indispensable but not perfect ...

Host C

Classical security: Intrusion prevention

intrusion (fault)

error failure

Host C

intrusion prevention

Ah, but that’s a residual probability ! riiiiight ?...

Classical security: Intrusion prevention

intrusion (fault)

error failure

Host C

intrusion prevention

If it MAY happen, it WILL happen!

Classical security: Intrusion detection

vulnerabilityremoval

Intruder/Designer/Operator

vulnerability(fault)

Intruderattack(fault)

intrusion (fault)

error failure

attack prevention

vulnerabilityprevention

intrusion prevention

Intrusiondetection!

Classical security: Intrusion detection

vulnerabilityremoval

Intruder/Designer/Operator

vulnerability(fault)

Intruderattack(fault)

intrusion (fault)

error failure

attack prevention

vulnerabilityprevention

intrusion prevention

Which is useful but imprecise, incomplete and slow ...

NOTES:(i) after intrusion, the system is in the path to failure, so incompleteness or slowliness of intrusion

detection and/or ad-hoc processing/mitigation, bears a high risk of failure of a security propertyas perceived by a user

And what’s worse, some individual failures will still occur

Back to the AVI composite fault model

• what remains, as ‘action points’ before failure?

• why not act after errors caused by intrusions, by intrusion tolerance, as in “fault tolerance”?

53

vulnerabilityremoval

Intruder/Designer/Operator

vulnerability(fault)

Intruderattack(fault)

intrusion (fault)

error failure

attack prevention

vulnerabilityprevention

intrusion prevention

intrusiondetection

We are here!

Automatic Dependability and Security: intrusion tolerance

Intruderattack(fault)

intrusion (fault)

error failure

attack prevention

vulnerabilityprevention vulnerabilityremoval

Intruder/Designer/Operator

vulnerability(fault) intrusion

preventionintrusiontolerance

P Verissimo, N Neves, M Correia, “Intrusion-Tolerant Architectures: Concepts and Design”, in Architecting Dependable Systems, ser. LNCS. Springer-Verlag, Jun. 2003, vol. 2677. Ext. vers. in http://hdl.handle.net/10451/14253

http://www.navigators.di.fc.ul.pt/wiki/Publication:Paulo-verissimo2003intrusion-tolerant-architectures-123http://hdl.handle.net/10451/14253

What is Intrusion Tolerance?

• The tolerance paradigm in security:– Assumes that systems remain to a certain extent vulnerable– Assumes that attacks on components or sub-systems can happen

and some will be successful– Ensures that the overall system nevertheless remains secure and

operational, preventing “failure”, as failure of a security property, when and if perceived by a user

– Paradigms and techniques can simultaneously cover accidental andmalicious faults (dependability and security)

• In other words:– Faults--- malicious and other--- occur– They generate errors, i.e. component-level security compromises– Error processing mechanisms make sure that system-level security

failure is prevented

55

Design for Resilience

© 2002-08 Paulo Veríssimo - All rights reserved, no unauthorized reproduction in any form 1.56

Some philosophy for a start• What characterizes a dependable system?

– A set of safety and liveness properties• What characterizes a secure system?

– A set of safety and liveness properties• What may impair a dependable system?

– A set of faults -> failure• What may impair a secure system?

– A set of faults (attacks, vulnerabilities, intrusions) -> failure• How do I make a system dependable (normally)?

– Using fault avoidance (prevention, removal) and fault tolerance (error detection, recovery, masking)

• How do I make a system secure (normally)?– Using fault avoidance (attack prevention, vulnerability removal)

– and some bits of fault tolerance (intrusion detection)– Nowadays, increasingly fault tolerance (intrusion detection, recovery,

masking)

Intrusion Tolerance: error processing

• Error detection and recovery techniques:– effective use of intrusion detection: integrated in a principled and

automatic process– system detects errors resulting from intrusions– system either goes back to a previous state known as correct, and

resumes/restarts operation, or reconfigures and proceeds forward to state seeking correct provision of service

57

Recover and resume/restart after intrusion Reconfigure after intrusion

Intrusion Tolerance: error processing

• Error masking techniques– redundancy allows providing correct service without glitch– system masks errors resulting from intrusions– works whilst enough redundancy for number of faults

58

Detection not needed, whatever happens, error is masked

Intrusion Tolerance: error processing techniques• backward recovery:

– system goes back to a previous state known as correct and resumes– system suffers DOS (denial of service) attack, and re-executes the

corrupted operation– system detects corrupted files, pauses, reinstalls them, goes back– system detects corrupted message signature, discards, send nack

59

Redo after attack

Intrusion Tolerance: error processing techniques• forward recovery:

– proceeds forward to state that ensures correct provision of service (evasion, moving target defense)

– system detects intrusion, considers corrupted operations lost and increases security level (threshold/quorums increase, key renewal)

– system detects intrusion, moves to degraded but safer op mode

60

“Plan B” after intrusion

Error processing at work

• backward recovery

• forward recovery

• error masking

61

Redo after attack

“Plan B” after intrusion

Whatever happens...

• slides a seguir:• difer entre prots segur (prevent) mesmo multi-

party, e tolerância (consenso e replicas, SMR)• prots multiparty/multironda portanto• pbft aspecto• poder dos híbridos (aka TEE, but used in

tolerance), simplific: minbft c LTC; ttcb smr c DTC, ainda mais simples

A methodic approach to modular and distributed resilient computing• Fault and intrusion tolerance, or automatic

security and dependability• Handle increasing threat severity• Resist continued threats

• Divide-and-conquer to beat extreme threats• Hybrid models and architectures • Ultra-reliable trusted components• High-confidence vertical verification• Privacy- and integrity-preserving data processing

Fault and Intrusion Tolerance (FIT)Masking: an abstract solution

Tolerating Faults and Intrusions automatically

f+1 out of 2f+1k out of n

f = max. number of faulty replicas (f=1 in this example)

Node

Node

Node

Incomingrequests

Resultsconsolidation

Automatic Dependability and Security: intrusion tolerance

Intruderattack(fault)

intrusion (fault)

error failure

attack prevention

vulnerabilityprevention vulnerabilityremoval

Intruder/Designer/Operator

vulnerability(fault) intrusion

preventionintrusiontolerance

Criticisms to InTol: common-mode failures or fast exhaustion; f+1 syndrome;...

Fault and Intrusion Tolerance (FIT)The fast exhaustion or common-mode failure problem

Node

Node

Node

NodeO.S.xinside!

O.S.xinside!

O.S.xinside!

O.S.xinside!

Incomingrequests

Resultsconsolidation

Host AHost A

Designing dependable and secure systemsreality in real-world systems – recap

Host A

Host B

Host C

Host D

Host AHost A

Designing dependable and secure systemsreality in real-world systems – adapting to intrusion tolerance

Host A

Host B

Host C

Host D

Host A

Host B

Host C

Host D

Hardening q.b.

Designing dependable and secure systemsreality in real-world systems – adapting to intrusion tolerance

Diversifying q.b.

Host A

Host B

Host C

Host D

Host A

Host B

Host C

Host D

Fault and Intrusion Tolerance (FIT)Hardening and Diversification - M itigating fast exhaustion

3f+1 diverse replicas (f=1 in this example)

Node

Node

Node

Node

O.S.yinside!

O.S.winside!

O.S.xinside!

O.S.zinside!

Incomingrequests

Resultsconsolidation

Host A

Host B

Host C

Host D

Designing dependable and secure systemszero failures goal despite successful intrusions ?

Host A

Host A

Host B

Host C

Host D

Designing dependable and secure systemszero failures goal despite successful intrusions ?

Only until f+1 faults produced ...

Host A

Host A

Fault and Intrusion Tolerance (FIT)The resource exhaustion (or f+1) problem

f = max. number of faulty replicas (f=1 in this example, was exceeded)

Node

Node

Node

Node

f+1 out of 3f+1k out of n

Incomingrequests

Resultsconsolidation

Fault and Intrusion Tolerance (FIT)Resisting Continued Threats

Seeking (unattended) perpetual execution

f = max. number of faulty replicas in an interval Tr

Node

Node

Node

Node

RecoverNow!

Recovered!

RecoverNow!

RecoverNow!Recovered!

Recovered!

Incomingrequests

Resultsconsolidation

Designing dependable and secure systemszero failures forever goal despite successful intrusions ?

Host AHost AHost A

Host B

Host C

Host D

Host A

Host B

Host C

Host D

Host A

Host B

Host C

Host D

[Sousa et al., DSN 05]

Only if you are faster than the attacker ...

A methodic approach to modular and distributed resilient computing• Fault and intrusion tolerance, or automatic security

and dependability• Handle increasing threat severity• Resist continued threats

• Divide-and-conquer to beat extreme threats• Hybrid models and architectures • Ultra-reliable trusted components• High-confidence vertical verification• Architecture-aware privacy-preserving data processing

Divide-and-conquer I: Hybrid models and architecturesLeveraging power at right place right time

THost B

Just hardened q.b. payload

Ultimately trusted hybrids

NOTES:(i) Trusted components must be trustworthy by construction(ii) But having trusted-trustworthy components is not enough:(iii) We need an computational model that makes payload enjoy their properties

Divide-and-conquer I: Hybrid models and architecturesLeveraging power at right place right time

Host A

Host B

Host C

Host D

T

T

T

T

Verified andtamperprooffunctional API

Optionalcontrolnetwork

Payload network, in/out

Hybridisation-awaredistributed algorithms

Replicationfor fault andintrusiontolerance

[Verissimo, Travelling through Wormholes: a new look at Distrib. Sys. Models. SIGACT News, no. 1 ’06.]

Divide-and-conquer I: Hybrid models and architecturesLeveraging power at right place right time

Host A

Host B

Host C

Host D

T

T

T

T

Paulo Verissimo, “Travelling through Wormholes: a new look at Distributed Systems Models”, SIGACT News, vol.37, no. 1, Mar. 2006.

Formally definedSecure interfaces

Leveraging trusted-trustworthy components (aka TEE) with the right set of simple functions (failure detectors, monotonic counters, reliable timers and clocks, PRG, signatures, indelible logs, binary cons.

Verified secure control network

http://www.navigators.di.fc.ul.pt/wiki/Publication:Paulo-verissimo2006travelling-through-170

Recursive building of trust & trustworthiness

93

94

Building trustworthiness

• Initial hostile/adverse environment– by (careful) assumption

• Subsystem C designed to be trustworthy– By construction

C1 C2

C3 C4 C5

C6

C1 C2

C3 C4 C5

C6

Trustworthy C (by construction)

95

Building trust

• Initial hostile/adverse environment– by (careful) assumption

• Subsystem C designed to be trustworthy– By construction

• Subsystem C becomes B ’s environment– Properties of C are assumed by B

• B trusts C– a trusted-trustworthy subsystem– to build algorithm B

C1 C2

C3 C4 C5

C6

C1 C2

C3 C4 C5

C6

B3

B5

B4

B2

B1

Trusted C (by B)

96

On coverage and separation of concerns• predicate P holds with a coverage Pr

– we say that we are confident that P has a probability Pr of holding• environmental assumption coverage (Pre)

– set of assumptions (H) about the environment where system will run– Pre = Pr (H | f) f- any fault

• operational assumption coverage (Pro)– the assumptions about how the system/algorithm/mechanism proper (A) will

run, under a given set of environmental assumptions– Pro = Pr (A | H)

Alice Bob

Luisa

PaulAlicePr(A ) = Pro x Pre = Pr (A | H) x Pr (H | f)

99

Architectural support for resilience in the presence of attacks

• research architectural support for application-aware hybrid BFT, diversity and self-healingsolutions at all levels of the hardware/software stack, esp. RTES– application-specific trusted-trustworthy components– improved performance / reduction

replica quorum number

• SGX-based consensus, namely considering:– enclave-to-enclave interaction schemes– SGX enclave availability

10

High-confidence vertical formal verification of critical components

Re-design and partial verification of BFT-SMaRt (ULisboa) One of the few fully-implemented and efficient BFT-SMR protocols We plan on building trustworthy leader change and reconfiguration

components to plug into BFT-SMaRt As mentioned above we will verify these components in Coq (theorem

prover from INRIA)

Verification of MinBFT’s (ULisboa) core trusted-trustworthy component (USIG):

• C implementation of USIG• Coq specification/implementation for verification• Verify that C code satisfies Coq, through VST (Verified

Software Toolchain) • Verify Coq spec satisfies desired safety properties through

Coq• generate target code from C with CompCert (formally verified

C compiler)

10

Threats to blockchain

10

Blockchain

Security: • Double spending attacks• Selfish mining attacks• Flash attacks• ...

Privacy:• Untraceability• Unlinkability• Transaction content/amount privacy

v.s.Transparency

• …

Consensus: • Probabilistic v.s. deterministic• Assumption (f < 1/4 or 1/3 or 1/2)

v.s.Oligopolistic mining pools

• …

Scalabilility:• #TPS is limited• Size of the ledger is ever increasing• ...

10

Solving blockchain problemswith resilience (BFT) mechanisms

Attacks/Features BitCoin BitCoin-NG ByzCoin RepuCoin

Double spending attacks

Selfish mining attack

Bribery/flash attack

Non-forkable chain

Liveness

Throughput 7 tps ? 1,000 tps 10,000 tps

The system is secure against this attack The system is vulnerable to this attack The system can prevent double spending, but its throughput maybe reduced.

Univ. Luxemb.

Science of Security: some

reflections

104

Frameworks for SoSexample goals and motivations

• A nation wishes to process as efficiently and effectively as possible, massive forests of data it somehow has access to:– About legitimate use of systems for ilegitimate purposes– About ilegitimate use of systems for ilegitimate purposes

• A nation wishes to improve prevention/ tolerance against ilegitimate use of systems– Direct attacks (inc. APT) onto systems and infrastructures– Intentional weakening or subversion of security and trust

mechanisms in ICT

105

Frameworks for SoSscope of application of results

1. A nation wishes to interpret as efficiently and effectively as possible, massive forests of data it has access to

2. A nation wishes to protect systems/infrastructures against ilegitimate use

A. IntelligenceB. Information gatheringC. Espionage

D. Infrastruct. SecurityE. Infrastruct. ProtectionF. Infrastruct. ResilienceG. Counter-espionage

106

Motivation (w rap-up)There is no trustworthy data on non-trustworthy systems

ERGO:We need models and algorithms supporting systems

that operate long enough to fulfill their mission, through threats of increasing magnitude, automatically and in an unattended mode

107

As a pre-condition to

Tolerance

• Tolerance Goal: operate correctly as long as at most f faultsof any quality occur

• This well-known formal proposition however, says very little about an important objective:

• will f+1 faults not happen “during my watch”?

108

Resilience

• Resilience Goal: tolerate any quality and quantity of faults over time – as long as the power of the threat is bounded– (i.e. at most f occur within a given interval)

• How to fulfil this formal proposition?– structure (hardening, trusted components)– diversity, randomisation, obfuscation– self-healing, ex. proactive/reactive recovery (PRR)– dynamic reconfiguration, moving target defences 109

110

Paulo Esteves-VeríssimoUniversity of Luxembourg Faculty of Science, Technology and Communication

_ and SnT, the Interdisciplinary Centre for Security, Reliability and Trust _

paulo.verissimo@uni.lu http://staff.uni.lu/paulo.verissimo

@SnTCritical and Extreme Security and Dependability

We’re hiring bright PhD students and research associates (post-docs) willing to address these challenges!

Thank you! _

�Grand Research Challenges for Cybersecurity of Critical Information and Infrastructures���Grand Research Challenges for Cybersecurity of Critical Information and Infrastructures��The world is becoming an immense (interconnected) infrastructureInternet minute��CritiX�research�visionPeopleCritiX - Critical and Extreme Security and Dependability Research Lab�Research enablers for the next generation of protectionSoftware Defined Networking (SDN)�the other face of the problemNetworked Control Systems: �no longer closed, proprietary, or dumbX-by-wire Networked Vehicles: �no longer mechanical and isolatedThe safety-security gap in vehicle ecosystemsAutonomous vehicle ecosystem threat planeGenomics and Biomedical vs. Big DataPrivacy- and integrity-preserving data processing�The e-biobanking visionDNA workflows in an e-biobanking ecosystemBlockchainBlockchain for FinTech and Crypto-currency: challengesMeeting the Challenges of �Critical Dependability and SecurityArchitecting and designing for resilienceIs resilience really necessary?Conventional Software Vulnerabilities�ever increasingCyberspace todayAttack sophistication vs. attacker expertiseTailored Subversion and IntrusionA world full of threats?Designing and architecting for resilienceDesigning dependable and secure systems:�a brief historyDesigning dependable and secure systems�the zero-defect goalDesigning dependable and secure systems�zero-defect goal considered infeasible: Designing dependable and secure systems�reality in real-world systemsAttack-Vulnerability-Intrusion composite fault modelClassical security: Intrusion preventionDesigning dependable and secure systems�reality in real-world systems – optimistic viewDesigning dependable and secure systems�reality in real-world systems – optimistic viewDesigning dependable and secure systems�zero attack-vulnerability-match goalClassical security: Intrusion preventionClassical security: Intrusion preventionClassical security: Intrusion preventionClassical security: Intrusion detectionClassical security: Intrusion detectionBack to the AVI composite fault modelAutomatic Dependability and Security: intrusion toleranceWhat is Intrusion Tolerance?Some philosophy for a startIntrusion Tolerance: error processingIntrusion Tolerance: error processingIntrusion Tolerance: error processing techniquesIntrusion Tolerance: error processing techniquesError processing at workSlide Number 62A methodic approach to modular and distributed resilient computingFault and Intrusion Tolerance (FIT)�Masking: an abstract solution�Tolerating Faults and Intrusions automaticallyAutomatic Dependability and Security: intrusion toleranceFault and Intrusion Tolerance (FIT)�The fast exhaustion or common-mode failure problemDesigning dependable and secure systems�reality in real-world systems – recapDesigning dependable and secure systems�reality in real-world systems – adapting to intrusion toleranceDesigning dependable and secure systems�reality in real-world systems – adapting to intrusion toleranceFault and Intrusion Tolerance (FIT)�Hardening and Diversification - Mitigating fast exhaustionDesigning dependable and secure systems�zero failures goal despite successful intrusions ?Designing dependable and secure systems�zero failures goal despite successful intrusions ?Fault and Intrusion Tolerance (FIT)�The resource exhaustion (or f+1) problemFault and Intrusion Tolerance (FIT)�Resisting Continued Threats�Seeking (unattended) perpetual executionDesigning dependable and secure systems�zero failures forever goal despite successful intrusions ? A methodic approach to modular and distributed resilient computingDivide-and-conquer I: Hybrid models and architectures�Leveraging power at right place right timeDivide-and-conquer I: Hybrid models and architectures�Leveraging power at right place right timeDivide-and-conquer I: Hybrid models and architectures�Leveraging power at right place right timeRecursive building of �trust & trustworthinessBuilding trustworthinessBuilding trustOn coverage and separation of concernsArchitectural support for resilience in the presence of attacksHigh-confidence vertical formal verification of critical componentsThreats to blockchainBlockchainSolving blockchain problems�with resilience (BFT) mechanismsScience of Security: some reflectionsFrameworks for SoS�example goals and motivationsFrameworks for SoS�scope of application of resultsMotivation (wrap-up)�There is no trustworthy data on non-trustworthy systemsToleranceResilience�