1. Protecting e -Government Against Attacks Gernot Heiser NICTA and University of New South Wales

2. ©2013 Gernot Heiser, NICTA2 e-Government Threats Brussels, Feb'13 government server citizen terminal ATTACK 2

3. ©2013 Gernot Heiser, NICTA3 Application Web Server Web Server Database Management Operating System Hardware Software Complexity and Attack Surface 10 million lines 1 million lines 1 million lines of software ⇒ 1000s of faults! In security-critical software, >10% of faults become vulnerabilities Critical Brussels, Feb'13 3

4. ©2013 Gernot Heiser, NICTA4 Hardware Hypervisor Application Web Serv. Web Serv. Data base Mgmt OS VM 1 Application Web Serv. Web Serv. Data base Mgmt OS VM 2 Virtualization Single physical machine Multiple virtual machines Extra software layer Advantages: server consolidation reduced management cost improved utilisation reduced energy use Disadvantages: increased attack surface Brussels, Feb'13 4

5. ©2013 Gernot Heiser, NICTA5 Attack Surface ComponentTotal sizeCritical partVulnerabilities Management1 MLOC 100s Web server, database, application 10 MLOC1 MLOC100s Operating System 10 MLOC 1000s Hypervisor1 MLOC 100s Brussels, Feb'13 Critical 5

6. ©2013 Gernot Heiser, NICTA6 Hardware Hypervisor Compromised OS Compromised OS VM 1 Target OS Target OS VM 2 Virtualization Attacks: Server-to-Server Virtual machines isolated by hypervisor ⇒ isolation only as good as hypervisor Target may not even know about co-location! Attack Brussels, Feb'13 6

7. ©2013 Gernot Heiser, NICTA7 Hardware Hypervisor Compromised OS Compromised OS VM 1 Target OS Target OS VM 2 Virtualization Attacks: Side Channels Demonstrated theft of encryption keys Information leakage through hardware/hyper visor Without affecting “correct” hypervisor operation! Brussels, Feb'13 7

8. ©2013 Gernot Heiser, NICTA8 Hardware Microkernel Application Web Serv. Web Serv. Data base Mgmt OS Virtualization Functionality Virtualization Functionality VM 2 Application Web Serv. Web Serv. Data base Mgmt OS Virtualization Functionality Virtualization Functionality VM 1 Decrease Attack Surface: Microkernels 10 MLOC, not isolation- critical 10 MLOC, not isolation- critical 0.01 MLOC, isolation- critical 0.01 MLOC, isolation- critical Split hypervisor functionality Brussels, Feb'13 8

9. ©2013 Gernot Heiser, NICTA9 Microkernels Track record: OKL4 microkernel deployed on > 1.5 billion mobile devices Developed by NICTA, marketed by Open Kernel Labs Unparalleled security potential: 10,000 lines ⇒ minimal vulnerabilities Small enough to prove absence of faults Brussels, Feb'13 NICTA’s seL4 microkernel: First and only operating-system with proof that operation is always according to specification NICTA’s seL4 microkernel: First and only operating-system with proof that operation is always according to specification … and as fast as any microkernel! 9

10. ©2013 Gernot Heiser, NICTA10 Terminals Brussels, Feb'13 Bigger challenge than servers Live in uncontrolled environments Run large amounts of untrusted software Large percentage infected by malware Cannot be trusted to keep secrets! 10

11. ©2013 Gernot Heiser, NICTA11 Hardware Hypervisor Apps OS VM 1 Secure App Mini OS VM 2 Protecting Terminals – With Virtualization! Standard smartphone OS + apps Minimal secure environment, protected by hypervsior Data encrypted and securely sent through standard environment Brussels, Feb'13 11

12. ©2013 Gernot Heiser, NICTA12 Recommendations 1.Require provably secure virtualization technology (after transition period) –provide incentive to industry for delivering secure products 2.Fund development of open-source provably secure virtualization technology (equivalent to seL4) –avoid private monopoly for critical infrastructure 3.Require certified secure communication functionality on terminals accessing e-government services (after transition period) –provide incentive to industry for delivering secure products Brussels, Feb'13 12