Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware

Bryan Payne
September 09, 2015
Technology
0
200

Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware

I presented this high level introduction to security at the National Academy of Engineering Frontiers of Engineering 2015 event in Irvine, California. The presentation covers how security is influenced by different dimensions of computing including hardware and software abstractions, scale, and threat models. It concludes with my opinions on some of the largest security problems of the day: the ability for one entity to prove their security posture to another, simplifying security software engineering, and addressing the talent shortage.

Bryan Payne

September 09, 2015
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
240
BLESS: Better Security and Ops for SSH Access
bdpayne
3
720
Securing Containers the Netflix Way
bdpayne
1
2.3k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
840
Platform Security Jobs at Netflix
bdpayne
0
860
Improving Cloud Security with Attacker Profiling
bdpayne
2
810
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.8k
Platform Security at Netflix: Securing Microservices from the Ground Up
bdpayne
0
5.7k
An Introduction to Virtual Machine Introspection Using LibVMI
bdpayne
0
520

Other Decks in Technology

See All in Technology
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
200
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
62
18k
PHPカンファレンス小田原2024
ysknsid25
3
670
キャラクター制御のためのプロンプト術 for LINE Bot
uezo
0
530
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
0→1開発における技術選定において一番大切なこと
bicstone
1
330
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
110
TransitGatewayの基礎
toru_kubota
0
230
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
1
380
シン・Kafka / shin-kafka
oracle4engineer
PRO
8
2.7k
「手動オペレーションに定評がある」と言われた私が心がけていること / phpcon_odawara2024
blue_goheimochi
2
320

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
The Cult of Friendly URLs
andyhume
74
5.7k
Building Effective Engineering Teams - LeadDev
addyosmani
27
1.8k
Side Projects
sachag
451
41k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
RailsConf 2023
tenderlove
2
530
Why Our Code Smells
bkeepers
PRO
331
56k
Building an army of robots
kneath
300
41k
Navigating Team Friction
lara
177
13k
StorybookのUI Testing Handbookを読んだ
zakiyama
11
4.6k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Six Lessons from altMBA
skipperchong
20
3k

Transcript

  1. Security at Different Layers of Abstractions Application, Operating Systems, and

    Hardware Bryan D. Payne Engineering Manager, Platform Security

  2. "Diamonds" by Swamibu - http://flickr.com/photos/swamibu/1182138940/. Licensed under CC BY 2.0

    via Commons

  3. "Antwerpen Hoveniersstraat" by Thorsten1997 - Own work. Licensed under Public

    Domain via Commons

  4. 19 February 2003 BBC News http://news.bbc.co.uk/2/hi/europe/2782305.stm

  5. Joshua Davis. The Untold Story of the World’s Biggest Diamond

    Heist. Wired, http://archive.wired.com/politics/law/magazine/17-04/ff_diamonds 1. Combination dial 2. Keyed lock 3. Seismic sensor 4. Locked steel grate 5. Magnetic sensor 6. External security camera 7. Keypad to disarm sensors 8. Light sensor 9. Internal security camera 10. Heat / motion sensor

  6. Photo Credit: Tom Varco (CC BY-SA 3.0) https://en.wikipedia.org/wiki/Safe#/media/File:Safe.jpg Photo Credit:

    Jonathunder (CC BY-SA 3.0) https://en.wikipedia.org/wiki/Bank_vault#/media/File:WinonaSavingsBankVault.JPG

  7. Photo Credit: Google http://www.google.com/about/datacenters/gallery/

  8. Computing Abstractions & Security

  9. Hardware Operating System Application Application Application

  10. None
  11. None

  12. Photo Credit: Aaron Parecki (CC BY 2.0) https://www.flickr.com/photos/aaronpk/7664287550

  13. Photo Credit: Evan-Amos (CC BY-SA 3.0) https://en.wikipedia.org/wiki/Hard_disk_drive#/media/File:Laptop-hard-drive-exposed.jpg

  14. None

  15. EPROCESS KPROCESS LIST_ENTRY FLINK BLINK EPROCESS KPROCESS LIST_ENTRY FLINK BLINK

    EPROCESS KPROCESS LIST_ENTRY FLINK BLINK Hidden Process

  16. Web Service GET /index.html <html><head>…</html>

  17. Hardware Operating System Application Application Application CPU Instruction “rdrand” Operating

    System Driver Cryptography Library Web Server

  18. Web Server News Feed Featured Articles User AuthN Database Database

    Database Content Mgmt User Mgmt
  19. None

  20. Photo Credit: Kayamon (CC BY-SA 3.0) https://en.wikipedia.org/wiki/File:Penny_Harvest_Field_2007.jpg

  21. Attacker Skill & Exploitation Likelihood Likelihood of Attack Intelligence Services

    Serious Organized Crime Highly Capable Groups Motivated Individuals Script Kiddies OpenStack Security Guide (CC BY 3.0) http://docs.openstack.org/sec/

  22. Tipping Point Increasing Security Investment Increasing Security Engineering Efficiencies

  23. Future Directions

  24. Hardware Operating System / Hypervisor Instance / Virtual Machine Instance

    / Virtual Machine Instance / Virtual Machine Cloud Provider Customer

  25. from cryptography.fernet import Fernet key = Fernet.generate_key() f = Fernet(key)

    ciphertext = f.encrypt(b”A message.") plaintext = f.decrypt(ciphertext) Simple Libraries (e.g., python-cryptography) Traditional Libraries (e.g., openssl) #include <openssl/conf.h> #include <openssl/evp.h> #include <openssl/err.h> #include <string.h> int main(int arc, char *argv[]) { /* Set up the key and iv. Do I need to say to not hard code these in a * real application? :-) */ /* A 256 bit key */ unsigned char *key = "01234567890123456789012345678901"; /* A 128 bit IV */ unsigned char *iv = "01234567890123456"; /* Message to be encrypted */ unsigned char *plaintext = "The quick brown fox jumps over the lazy dog"; /* Buffer for ciphertext. Ensure the buffer is long enough for the * ciphertext which may be longer than the plaintext, dependant on the * algorithm and mode */ unsigned char ciphertext[128]; /* Buffer for the decrypted text */ unsigned char decryptedtext[128]; int decryptedtext_len, ciphertext_len; /* Initialise the library */ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); OPENSSL_config(NULL); /* Encrypt the plaintext */ ciphertext_len = encrypt(plaintext, strlen(plaintext), key, iv, ciphertext); /* Do something useful with the ciphertext here */ printf("Ciphertext is:\n"); BIO_dump_fp(stdout, ciphertext, ciphertext_len); /* Decrypt the ciphertext */ decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv, decryptedtext); /* Add a NULL terminator. We are expecting printable text */ decryptedtext[decryptedtext_len] = '\0'; /* Show the decrypted text */ printf("Decrypted text is:\n"); printf("%s\n", decryptedtext); /* Clean up */ EVP_cleanup(); ERR_free_strings(); return 0; } int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key, unsigned char *iv, unsigned char *ciphertext) { EVP_CIPHER_CTX *ctx; int len; int ciphertext_len; /* Create and initialise the context */ if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors(); /* Initialise the encryption operation. IMPORTANT - ensure you use a key * and IV size appropriate for your cipher * In this example we are using 256 bit AES (i.e. a 256 bit key). The * IV size for *most* modes is the same as the block size. For AES this * is 128 bits */ if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) handleErrors(); /* Provide the message to be encrypted, and obtain the encrypted output. * EVP_EncryptUpdate can be called multiple times if necessary */ if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len)) handleErrors(); ciphertext_len = len; /* Finalise the encryption. Further ciphertext bytes may be written at * this stage. */ if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) handleErrors(); ciphertext_len += len; /* Clean up */ EVP_CIPHER_CTX_free(ctx); return ciphertext_len; } int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key, unsigned char *iv, unsigned char *plaintext) { EVP_CIPHER_CTX *ctx; int len; int plaintext_len; /* Create and initialise the context */ if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors(); /* Initialise the decryption operation. IMPORTANT - ensure you use a key * and IV size appropriate for your cipher * In this example we are using 256 bit AES (i.e. a 256 bit key). The * IV size for *most* modes is the same as the block size. For AES this * is 128 bits */ if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) handleErrors(); /* Provide the message to be decrypted, and obtain the plaintext output. * EVP_DecryptUpdate can be called multiple times if necessary */ if(1 != EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len)) handleErrors(); plaintext_len = len; /* Finalise the decryption. Further plaintext bytes may be written at * this stage. */ if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, &len)) handleErrors(); plaintext_len += len; /* Clean up */ EVP_CIPHER_CTX_free(ctx); return plaintext_len; } [edit]

  26. A team participating in a CTF competition at DEFCON 17

    Photo Credit: Nate Grigg (CC BY 2.0) http://www.flickr.com/photos/nateone/3792232737/

  27. Questions? bryanp@netflix.com http://bryanpayne.org