Keynote Presentation

A presentation at Defense in Depth Conference in November 2018 in Tysons, VA, USA by Shawn Wells

Slide 1

Slide 1

Steve Orrin | Shawn Wells

Slide 2

Slide 2

IMPORTANCE OF PLATFORM SECURITY What are Intel and Red Hat doing to help you secure your systems and infrastructure?

Slide 3

Slide 3

CYBER SECURITY DEFENSE HOST & SYSTEM SECURITY 3 NETWORK DATA & THREAT APPLICATIONS INTELLIGENCE IDENTITY & ACCESS

Slide 4

Slide 4

EVOLVING THREAT MODEL INTEL DRIVES INNOVATION to embed security innovations into hardware, supporting capabilities for more secure devices, operating systems, and applications. Hardware based security is the next evolution for protection.

Slide 5

Slide 5

SECURING & PROTECTING THE PLATFORM FIRMWARE OPERATING SYSTEM • Trusted power on • Trusted power on • Safe updates • Core operating system file protection • Secure device provisioning • Improved virtualization and container security APPLICATIONS DATA SECURITY SOFTWARE • Trusted execution environments • Faster encryption performance • Hardened security Functionality • User authentication • Secure key storage • Improved performance • Secure key handling • Data security and compartmentalization • Deeper systems visability Hardware-embedded controls can make fundamentals of computing more safe, private, secure

Slide 6

Slide 6

VISION FOR PLATFORM SECURITY Execution environment isolating operations from manipulation or disclosure SGX (S/W Guard Extensions) Provides unique ID for device, can serve as basis for authentication EPID (Enhanced Privacy ID) MANAGEMENT Provides device management, provisioning, policy

  • MeshCentral for IoT Gateways - AMT for VPro VERIFIED BOOT Verifies boot process, enables s/w identification. Enforces platform boot policies Secure Boot using TXT and TPM SECURE STORAGE Sensitive data protected from misuse or disclosure when in use, transit, storage
  • TPM: Trusted Platform Module - PTT: Platform Trust Technology TRUSTED EXECUTION ENVIRONMENT DEVICE IDENTIFICATION

Slide 7

Slide 7

INTEL SECURITY ESSENTIALS PLATFORM INTEGRITY Intel Platform Protection Technology with Boot Guard Verifies OEM pre-OS boot loader code executing out of reset Intel Platform Protection Technology with OS Guard Helps prevent malicious code from executing out of application memory space Intel Trusted Execution Technology (TXT) TCG Compliant Secure Boot with attestation Framework & common root-of-trust security capabilities across Intel processors

Slide 8

Slide 8

INTEL SECURITY ESSENTIALS TRUSTED EXECUTION Intel Software Guard Extensions Intel Virtualization Technology Enables creation and use of isolated app enclaves to protect against attacks on executing code or data stored in memory Creates firewall between main operating system and secure workloads running inside a secure virtual machine Framework & common root-of-trust security capabilities across Intel processors

Slide 9

Slide 9

INTEL SECURITY ESSENTIALS PROTECTED DATA, KEYS, IDENTITY Intel Platform Trust Technology Integrated H/W TPM enables secure storage of keys/credentials, boot block measurements for remote attestation Intel Enhanced Privacy ID Cryptographic scheme provides direct anonymous attestation of hardware for privacy Framework & common root-of-trust security capabilities across Intel processors

Slide 10

Slide 10

INTEL SECURITY ESSENTIALS CRYPTO ACCELERATORS Intel Data Protection Technology with Secure Key Intel Advanced Encryption Standard New Instructions High entropy source of random numbers to generate keys Accelerates math calculations for AES-NI encryption Framework & common root-of-trust security capabilities across Intel processors

Slide 11

Slide 11

WHAT IS PLATFORM SECURITY SECURE BOOT CRYPTO ACCELERATION ATTESTATION & ASSURANCE

Slide 12

Slide 12

Trusted Execution Technology Intel® Chipset BIOS Flash TPM VT VMM/ OS BootGuard SECURE BOOT TXT and BootGuard H/W root of trust for secure boot Ability to program OEM root of trust into Field Programmable Fuses (FPF) FPF profiles for configuration and tools Verified boot or Verified & Measured Boot options Ability to use Platform Trust Technology (PTT) or TPM Extend chain of trust to hypervisor and VMs Local and Remote attestation support

Slide 13

Slide 13

HARDWARE ACCELERATED CRYPTOGRAPHY AES-NI DRNG ADOX/ADX UBIQUITOUS DATA PROTECTION WITH CRYPTOGRAPHIC ACCELERATION STRONGER ENCRYPTION WITH ON-BOARD DIGITAL RANDOM NUMBER GENERATOR INSTRUCTION FOR USE IN LARGE INTEGER ARITHMETIC (> 64b) AES-NI allows significant performance at a lower price-point with no custom hardware. High degree of entropy provides quality random numbers for encryption keys and other operations. Common use is Public Key cryptography (e.g. RSA). DRNG solves the problem of limited entropy in virtual and container platforms.

Slide 14

Slide 14

QUICK ASSIST TECHNOLOGY LEWISBURG-NS CHIPSET - Third generation Intel QuickAssist Technology - First chipset offered in a common server platform - Purely-EP platform

Slide 15

Slide 15

TRUSTED COMPUTE POOLS Trusted Pools Control VMs based on platform trust to better protect data VIRTUALIZED & CLOUD USE MODELS - Ensure only trustable hypervisor is run on platform - Protecting server prior to virtualization s/w boot - Launch-time protections against run-time malware Trusted Launch Verified platform integrity reduces malware threat

  • Compliance support Internet CONTROL VMs BASED ON PLATFORM TRUST - Pools of platforms with trusted hypervisor - VM Migration controlled across resource pools - Similar to clearing airport security and moving freely between gates Compliance Hardware support for compliance reporting enhances auditability of cloud environment

Slide 16

Slide 16

OpenCIT - Whitelist-based chain of trust between BIOS, firmware, O/S kernel and hypervisor - Ability to tag/verify hosts with custom attributes stored in TPM - OpenStack and hypervisor integration - Mutual SSL, RESTful API, userdefined TLS policies

Slide 17

Slide 17

OpenCIT & Red Hat OpenStack Platform TRUST FROM BIOS TO WORKLOAD - Boot time integrity - Workload can be container or VM - Integrated with Red Hat OpenStack Platform ENTERPRISE OWNERSHIP AND CONTROL - Encrypt a workload before moving to cloud - Own and manage encryption keys - Release keys to CSP after integrity check succeeds

Slide 18

Slide 18

NIST IR 7904 REFERENCE ARCHITECTURE Joint Collaboration between NIST, Intel Corporation, and Software Vendors to demonstrate the ability to control and audit workload and data provisioning based on system trust and geo-location http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7904.pdf

Slide 19

Slide 19

CHIPSEC Collect tests for known vulnerabilities ○ Continuous improvement of platform security Capture community research as test cases ○ Supports coordinated disclosure and security assessment https://github.com/chipsec/chipsec

Slide 20

Slide 20

$ ./common.smrr [+] imported chipsec.modules.common.smrr [x][ =========================================================== [x][ Module: CPU SMM Cache Poisoning / SMM Range Registers (SMRR) [x][ =========================================================== … [+] OK. SMRR are supported in IA32_MTRRCAP_MSR … [+] OK so far. SMRR Base is programmed … [+] OK so far. SMRR are enabled in SMRR_MASK MSR … [+] OK so far. SMRR MSRs match on all CPUs [+] PASSED: SMRR protection against cache attack seems properly configured

Slide 21

Slide 21

EXCITE Fuzzing for Automated Detection of Code Security Issues in BIOS Excite is a powerful tool for excavating BIOS security vulnerabilities in an automated mode. Combines dynamic selective symbolic execution and guided fuzzing for test case generation. Flow uses Simics to dump platform data and replay tests while measuring coverage. https://software.intel.com/en-us/2017/06/06/finding-bios-vulnerabilities-withexcite

Slide 22

Slide 22

Summary ● The threats to the platform continue to evolve deeper in the stack ● Intel & Red Hat are focused on providing access to security capabilities that: ○ ○ ○ Enhance platform security and visibility Provide efficient and performant cryptography Drive scalable assurance and compliance ● Reducing the surface area of attack and providing advanced security features in hardware, firmware and software, Intel & Red hat are hardening the platform and enabling platform trust.

Slide 23

Slide 23

INNOVATION DOES NO GOOD IF YOU CAN’T SECURE IT

Slide 24

Slide 24

Slide 25

Slide 25

The government created a control catalog. Could we create a response catalog? Can deployment specific ATO materials be dynamically generated?

Slide 26

Slide 26

Structured language for ATO responses, created by 18F

Slide 27

Slide 27

  • control_key: AC-14 standard_key: NIST-800-53 covered_by: [] implementation_status: complete narrative: - text: | ‘Regardless of access mechanism, such as the Ansible Tower console, unauthenticated users will only be shown the system use notifications (as defined in AC-8) and login prompt. This is non-configurable behavior.’

Slide 28

Slide 28

name: DoD-STIG name: FedRAMP-mod name: DHS-4300A standards: standards: standards: NIST-800-53: NIST-800-53: NIST-800-53: AC-1: {} AC-1: {} AC-20 (1): {} AC-14: {} AC-2: {} AC-20 (2): {} AU-2: {} AT-7: {} AC-20 (3): {} SC-3: {} AU-11: {} AC-20 (4): {} SI-7: {} CA-4: {} AC-21: {}

Slide 29

Slide 29

Slide 30

Slide 30

Slide 31

Slide 31

Automated configuration scans, co-founded with NSA Information Assurance

Slide 32

Slide 32

Slide 33

Slide 33

ANSIBLE PLAYBOOKS AVAILABLE ON GALAXY, INCLUDING … DoD STIG C2S • Last updated for RHEL 7.6 • Available in any RHEL image, not just highside AMIs • Lowside development with same security settings as higher environments FBI CJIS HIPAA • Criminal Justice Information Services (CJIS) • Used by federal and commercial healthcare • Police, court systems, evidence handling systems https://galaxy.ansible.com/RedHatOfficial

Slide 34

Slide 34

NIST NATIONAL CHECKLIST PROGRAM The National Checklist Program (NCP) is the U.S. Government repository of publicly available security checklists, that provide detailed low level guidance, on setting the security configuration of system components and applications https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0

Slide 35

Slide 35

Slide 36

Slide 36

T R E S EA

Slide 37

Slide 37

Slide 38

Slide 38

Slide 39

Slide 39

Slide 40

Slide 40

THANK YOU