Protecting e -Government Against Attacks Gernot Heiser NICTA and University of New South Wales

1. Protecting e-Government Against Attacks Gernot Heiser NICTA and University of New South Wales

2. e-Government Threats ATTACK government server citizen terminal Brussels, Feb'13

3. Software Complexity and Attack Surface 1 million lines 1 million lines of software ⇒ 1000s of faults! Application Web Server Management Database 10 million lines Operating System Critical Hardware 10 million lines In security-critical software, >10% of faults become vulnerabilities Brussels, Feb'13

4. Virtualization Multiple virtual machines VM2 VM1 • Advantages: • server consolidation • reduced management cost • improved utilisation • reduced energy use Application Application Web Serv. Web Serv. Mgmt Mgmt Database Database OS OS Extra software layer Hypervisor • Disadvantages: • increased attack surface Hardware Single physical machine Brussels, Feb'13

5. Attack Surface Critical Brussels, Feb'13

6. Virtualization Attacks: Server-to-Server Target may not even know about co-location! VM1 VM2 Compromised OS Target OS Virtual machines isolated by hypervisor⇒ isolation only as good as hypervisor Attack Attack Hypervisor Hardware Brussels, Feb'13

7. Virtualization Attacks: Side Channels Information leakage through hardware/hypervisor VM1 VM2 Compromised OS Target OS Demonstrated theft of encryption keys Hypervisor Hardware Without affecting “correct” hypervisor operation! Brussels, Feb'13

8. Decrease Attack Surface: Microkernels Application Application Web Serv. Mgmt Database Web Serv. Mgmt Database VM1 VM2 10 MLOC, not isolation-critical OS OS Split hypervisor functionality Virtualization Functionality Virtualization Functionality 0.01 MLOC, isolation-critical Microkernel Hardware Brussels, Feb'13

9. Microkernels Track record: • OKL4 microkernel deployed on > 1.5 billion mobile devices • Developed by NICTA, marketed by Open Kernel Labs Unparalleled security potential: • 10,000 lines ⇒ minimal vulnerabilities • Small enough to prove absence of faults NICTA’s seL4 microkernel: First and only operating-system with proof that operation is always according to specification NICTA’s seL4 microkernel: First and only operating-system with proof that operation is always according to specification … and as fast as any microkernel! Brussels, Feb'13

10. Terminals Bigger challenge than servers • Live in uncontrolled environments • Run large amounts of untrusted software • Large percentage infected by malware • Cannot be trusted to keep secrets! Brussels, Feb'13

11. Protecting Terminals – With Virtualization! Minimal secure environment, protected by hypervsior Standard smartphone OS + apps VM1 Apps VM2 Secure App OS Mini OS Hypervisor Hardware Data encrypted and securely sent through standard environment Brussels, Feb'13

12. Recommendations • Require provably secure virtualization technology (after transition period) • provide incentive to industry for delivering secure products • Fund development of open-source provably secure virtualization technology (equivalent to seL4) • avoid private monopoly for critical infrastructure • Require certified secure communication functionality on terminals accessing e-government services (after transition period) • provide incentive to industry for delivering secure products Brussels, Feb'13