Security from the ground up
Originally published on EEWeb. (2019, April 9).
Cloud computing is too big to go away, but not too big to fail. We need to create a fully encrypted and authenticated infrastructure that is virtually impossible to penetrate.
The recent nation-state attack on laptop users via the ASUS Live Update feature makes it absolutely clear that “The Cloud” is not a safe computing platform — it is merely an economic model that allows users to shift computational tasks from one physical location to another with minimal workload disruption and without the cost of building their own data centers. However, this reduction in infrastructure investment comes with significant costs in terms of security.
Private corporate data centers are now combined with the additional computational horsepower from a cloud provider creating a hybrid of the model. This practice creates large-scale, multi-tenant data centers from the cloud providers, with many clients hosted in one data center without firewalls in-between the individual clients. This makes the model cost-effective. It also makes all clients of the cloud provider vulnerable.
If malware is exfiltrated from one client, then all clients become possible targets of that malware as no firewalls exist between them. This threat gets worse as firmware updates can be executed by anyone without authenticating the person updating the potentially malicious firmware or the update itself.
Firmware updates for hard disks, RAID controllers, LAN controllers, GPUs, BMCs, and host processors in servers are unsecured other than by weak username and password combinations. Riddled with holes and backdoors, they are easily breached. As a result, all servers have large attack surfaces that can be exploited. Sufficiently well-written malware can easily be made persistent so it will survive a reset, restart, or a re-install of the operating system.
It is true that affected systems can be taken offline, re-flashed, and be put back in service, but things get worse. Traditional attacks leave some sort of trace, and by analyzing these traces we can usually find out what happened and how to avert them in the future. As reported in the 26 February 2019 column “Cloudborne Punches Hole in Cloud Security” posted on EEWeb, security analysts at Eclypsium identified the potential of using Intel’s software guard extension (SGX) to hide an attack that only the attackers are able to witness. Neither traditional malware scanners nor current firewalls can detect this attack. And, since the attack is undetectable, it is not unreasonable to assume that similar attacks have already been executed successfully.
The only way to discover a firmware attack is after the fact, once the server is taken out of service, and all firmware has been compared against the factory default and any known-good updates thereafter. Currently, this is nearly impossible to achieve as most firmware is not signed to guarantee its authenticity. We have no way to verify the present firmware is free of malware and is as supplied by the manufacturer. In fact, we cannot even guarantee that a fresh version of firmware downloaded from the manufacturer’s web site is free of malware because it is simply not signed. The ASUS breach showed that the authenticity and integrity of the firmware and all of its updates are of paramount importance to stop perpetrators from distributing malicious firmware updates with valid signatures.
So, how can the spread of malware be detected and prevented in the cloud?
To filter incoming and outgoing traffic, we will have to start with firewalls that are not based on a vulnerable legacy processor architecture, but instead are hardware-based as it has been proven that a software-based approach cannot be made secure enough. These firewalls must support signed and fully authenticated firmware installation and update processes, and they must never reveal private keys to the outside world, even if a programmer or a user makes a grave error. Furthermore, they must be invulnerable to Meltdown, Spectre, Cloudborne, and any other hardware attacks, and they must be able to learn normal traffic patterns and be able to defend themselves against attacks while, at the same time, preventing intrusions and exfiltration of malware.
Cloud providers will need to install servers with novel and truly secure Network Interface Cards (NICs) that act as local firewalls. At the same time, all broadband connections between branch offices, companies, banks, and their end users — and all other communication that by nature of the traffic flowing through them demands security — should be secured by equipping each end with truly secure firewalls.
Multi-tenant public clouds will need to isolate all clients from each other by deploying firewalls that (1) do not use unsecure processors, that (2) do not use industry-standard hard disks or SSDs, and that (3) do not support unauthenticated firmware updates with unsigned firmware. These firewalls must be deployed at the perimeter at each entry and exit point that is connected to the internet, and — novel for firewalls — must filter traffic in BOTH directions simultaneously (bi-directional, full-duplex) to detect exfiltration of malware.
Cloud computing is too big to go away, but not too big to fail. We can, however, achieve a very high level of security between any two endpoints by securing the perimeter first, followed by the endpoints and the gateways (or aggregators). Furthermore, hardware is needed to secure communication and to authenticate devices and users. A fully encrypted and authenticated infrastructure will be virtually impossible to penetrate. Improving on this fundamental base, the use of strong biometric measures to discourage using passwords will make infrastructures safer, more secure, and even more convenient than they are today.