Security for The Machine: By Design
-
Upload
james-salter -
Category
Technology
-
view
510 -
download
5
Transcript of Security for The Machine: By Design
![Page 1: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/1.jpg)
Security for The Machine: By DesignJames Salter, Research ManagerSecurity and Manageability Lab
![Page 2: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/2.jpg)
2014DNS LoggingTrafodionLocation Aware
1967Cesium-beam atomic clock
1966Light-Emitting Diode (LED)
1972Pocket Scientific Calculator
1975Standard for Interface Bus
1980Office Laser Printer
1984Inkjet Printer
19863D graphics workstations
198064-channel Ultrasound
1989Digital Data Storage Drive
199464-bit architecture
1999Molecular Logic Gate
2001Utility Data Center
2002Rewritable DVD for standard players
2003Smart Cooling
2005Virus Throttle
2010ePrint
2011MagCloud
20113D Photon Engine
2011StoreOnce
2012StoreAll
2013Threat Central
2013SureStart
20143D Printing Technology
Innovation is our legacy and our future
1966
1968Programmable Desktop Calculator
1986CommercializedRISC chips
2008Memristor discovered
2012OpenFlow switches
2013HP Moonshot
2015Distributed R
HP Labs
![Page 3: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/3.jpg)
Innovation is our legacy and our future
![Page 4: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/4.jpg)
4
The Past 60 Years
1950s 1960s 1970s 1980s 1990s 2000s Today
![Page 5: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/5.jpg)
5
The Machine
![Page 6: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/6.jpg)
6
I/O
Copper
![Page 7: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/7.jpg)
7
Copper
![Page 8: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/8.jpg)
8
Copper
![Page 9: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/9.jpg)
9
![Page 10: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/10.jpg)
10
From processor-centric computing…
MemoryMemory
Mem
ory
Mem
oryM
emory
Memory
MemoryMemory
Mem
ory
Mem
ory
Mem
ory
Memory
SoC SoC
SoCS
oC
SoC
SoCSoC
SoC
SoC
SoC
SoC
SoCSoC SoC
SoCS
oC
SoC
SoCSoC
SoCSoC
SoC
SoC
SoC
Memory+
Fabric
…to Memory-Driven Computing
![Page 11: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/11.jpg)
11
Security challenges
Scale
New architecture
Which control points?
Performance bottleneck
Resource constraints
![Page 12: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/12.jpg)
Principles
Security by design, not as an afterthought A secure foundation for applications
12
![Page 13: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/13.jpg)
The Machine security framework
13
The first computer with security built-in from the ground up
Data always protected: in use, in flight and at rest
Secure boot and firmware
Run time monitoring
Access control
Low energy encryption
ProtectGiving The Machine the ability to protect itself, even against completely unknown threats
Compromised components
Firmware and kernel tampering
Runtime malware monitoring
Monitoring for data leakage
DetectAlways safe, always recoverable, without sacrificing performance
Recovery at the firmware layer
OS, application, and data recovery
Systematic recovery at scale with minimal human intervention
Recover
![Page 14: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/14.jpg)
Protect: Access control at different layers
14
Hardware
Application Thread
Data Data Data
Application Thread
Data Data Data
Operating System
![Page 15: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/15.jpg)
Detect: Tamper-proof monitoring/introspection
15
Operating System
Hardware and Firmware
Normal mode
Monitor
Secure mode
![Page 16: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/16.jpg)
Detect: Primitives to enable detection outside The Machine
16
HPE DNS Malware Analytics
Where to collect data from? – problems placing probes
Primitives/APIs for event collection
![Page 17: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/17.jpg)
Recover: Recovery from malicious actions
17
Recovery at thefirmware layer
OS, applicationand data recovery
Systematic recovery at scale with minimal human intervention
Example: Recover from kernel level malware attack
• Out-of-band integrity measures trigger an alarm• Migrate workload to a new core• Perform secure reboot to restore trusted state• Freeze machine core and send for forensic analysis• Turn on advanced monitoring
![Page 18: Security for The Machine: By Design](https://reader035.fdocuments.in/reader035/viewer/2022081605/58ecbdd41a28ab803f8b45f3/html5/thumbnails/18.jpg)
Security for The Machine
18
Efficient Resilient Scalable Manageable
• An opportunity to design and implement security from the ground up
• Security is not an afterthought, but a conscious design decision