Security for The Machine: By DesignJames Salter, Research ManagerSecurity and Manageability Lab

2014DNS LoggingTrafodionLocation Aware

1967Cesium-beam atomic clock

1966Light-Emitting Diode (LED)

1972Pocket Scientific Calculator

1975Standard for Interface Bus

1980Office Laser Printer

1984Inkjet Printer

19863D graphics workstations

198064-channel Ultrasound

1989Digital Data Storage Drive

199464-bit architecture

1999Molecular Logic Gate

2001Utility Data Center

2002Rewritable DVD for standard players

2003Smart Cooling

2005Virus Throttle

2010ePrint

2011MagCloud

20113D Photon Engine

2011StoreOnce

2012StoreAll

2013Threat Central

2013SureStart

20143D Printing Technology

Innovation is our legacy and our future

1966

1968Programmable Desktop Calculator

1986CommercializedRISC chips

2008Memristor discovered

2012OpenFlow switches

2013HP Moonshot

2015Distributed R

HP Labs

Innovation is our legacy and our future

4

The Past 60 Years

1950s 1960s 1970s 1980s 1990s 2000s Today

5

The Machine

6

I/O

Copper

7

Copper

8

Copper

9

10

From processor-centric computing…

MemoryMemory

Mem

ory

Mem

oryM

emory

Memory

MemoryMemory

Mem

ory

Mem

ory

Mem

ory

Memory

SoC SoC

SoCS

oC

SoC

SoCSoC

SoC

SoC

SoC

SoC

SoCSoC SoC

SoCS

oC

SoC

SoCSoC

SoCSoC

SoC

SoC

SoC

Memory+

Fabric

…to Memory-Driven Computing

11

Security challenges

Scale

New architecture

Which control points?

Performance bottleneck

Resource constraints

Principles

Security by design, not as an afterthought A secure foundation for applications

12

The Machine security framework

13

The first computer with security built-in from the ground up

Data always protected: in use, in flight and at rest

Secure boot and firmware

Run time monitoring

Access control

Low energy encryption

ProtectGiving The Machine the ability to protect itself, even against completely unknown threats

Compromised components

Firmware and kernel tampering

Runtime malware monitoring

Monitoring for data leakage

DetectAlways safe, always recoverable, without sacrificing performance

Recovery at the firmware layer

OS, application, and data recovery

Systematic recovery at scale with minimal human intervention

Recover

Protect: Access control at different layers

14

Hardware

Application Thread

Data Data Data

Application Thread

Data Data Data

Operating System

Detect: Tamper-proof monitoring/introspection

15

Operating System

Hardware and Firmware

Normal mode

Monitor

Secure mode

Detect: Primitives to enable detection outside The Machine

16

HPE DNS Malware Analytics

Where to collect data from? – problems placing probes

Primitives/APIs for event collection

Recover: Recovery from malicious actions

17

Recovery at thefirmware layer

OS, applicationand data recovery

Systematic recovery at scale with minimal human intervention

Example: Recover from kernel level malware attack

• Out-of-band integrity measures trigger an alarm• Migrate workload to a new core• Perform secure reboot to restore trusted state• Freeze machine core and send for forensic analysis• Turn on advanced monitoring

Security for The Machine

18

Efficient Resilient Scalable Manageable

• An opportunity to design and implement security from the ground up

• Security is not an afterthought, but a conscious design decision

19

Thank youjames.salter@hpe.com