Project: Trustworthy Resilient Universal Secure Infrastructure Platform

TruSIP picture

Context

The call for trustworthy and dependable (ICT and ICS) computing

In May 2009, the United States' President Barack Obama ordered a 60-day cyberspace policy review.  The project was headed up by Melissa Hathaway.  The subsequent Report identified the need and called for trustworthy and dependable computing infrastructure.  This explicitly included traditional Information and Communication Technology (ICT) systems as well as Industrial Control Systems (ICS).  The Report has been a catalyst for wide ranging cyber security initiatives in the USA, including the January 2011 Department of Homeland Security Broad Agency Announcement (BAA 11-02).

Synaptic Labs’ Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) is a direct response to the above calls. Specifically TruSIP proposes a trustworthy and dependable computing platform suitable that addresses the currently open hard security limitations of today's IT and ICS designs in one unified platform.

Study reports that baseline security needs in IT systems are rising

In December 2010 the U.S. based IT firm EMC Corp commissioned the international analyst organisation International Data Corp (IDC) to produce a multimedia report that measures and forecasts the vast amount of digital information created and copied annually and its implications for individuals and Information Technology professionals worldwide.

By 2020, the IDC report predicts that almost 50% of the information in the Digital Universe will require a level of IT-based security beyond a baseline level of virus protection and physical protection. That’s up from about 30% from 2010.  And while the portion of that part of the Digital Universe that needs the highest level of security is small – in gigabytes and total files – that portion will grow by a factor of 100.

The report goes on to say that "if you look at the information in the Digital Universe that needs to be protected by number of containers or “files” (rather than by number of bytes), the percentage needing protection is more than 90%. And the amount of unprotected data will grow by a factor of 90 between now and 2020." ... "In fact, Probably EVERY byte in the Digital Universe could use some security and privacy protection. But we will never know because we can never know exactly what all those files and gigabytes actually contain."

TruSIP is intended to comprehensively address rising security needs

The Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) is intended to comprehensively address the increased security needs for organisations that go beyond simple virus protection and physical protection.  

At the deeper level, we are all clearly advised that today's systems are not trustworthy or dependable.  To quote Debora Plunkett, a Director in the U.S. National Security Agency:

"There's no such thing as 'secure' anymore" ... "We have to build our systems on the assumption that adversaries will get in." ... "We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly." (Dec 2010).

The TruSIP platform (on it's own or in combination with other ICT Gozo Malta projects) is intended to address 6 of the 8 current hardest and most critical challenges (Global-scale IdM, Insider Threat, Availability of Time-Critical Systems, Building Scalable Secure Systems, Situational Understanding, Security with Privacy) identified by the United States Department of Homeland Security in their November 2009 Cyber Security Roadmap.  The DHS report says these core challenges must be addressed if trustworthy systems envisioned by the U.S. Government are to be built. 

What ICT / ICS service providers and clients need

To attract customers and to also ensure their own business continuity, Information and Communication Technology (ICT) and Industrial Control System (ICS) service providers need to be able to demonstrate and assure their customers/stakeholders that their new public utility ('on demand computing') or new supervisory control and data acquisition (SCADA) system will be adequately reliable and secure.

The public requires assurances that the business and mission critical operations they run from the cloud (e.g. a public web server) will be reliable and available, even in the face of malicious cyber attacks exploiting zero-day vulnerabilities (first exploit of a previously unknown vulnerability).  

With regard to processing sensitive data, the client needs assurances that adequate security controls are in place to protect against data breaches.  The issue of maintaining a satisfactory level of secrecy (confidentiality) is particularly difficult as the client must cede control to a 3rd party cloud provider, that cloud provider's trusted staff, and ultimately to the vendors who supply software and hardware to the cloud provider.  This implies that certain privileged technical staff outside of the client's organisation could access the client's sensitive (and regulation controlled) data if it is supplied to the cloud.  It is this issue, regarding confidentiality and trust, that is the current hardest open problem limiting the uptake of public cloud computing.  

The issue of maintaining safe and continuous operations in the face of malicious adversaries is one of the current hardest open problems threatening critical infrastructure. 

TruSIP - Satisfying both service provider and client needs

Synaptic Labs’ Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) proposal addresses the identified security concerns that currently hinder the take up of public cloud computing (such as insider attacks and inadequate confidentiality and integrity controls of sensitive data) in a manner that simultaneously addresses the hard identified security requirements of industrial control systems (such as high availability, integrity, malware and intrusion resistance).  By simultaneously addressing both sets of needs, our single platform is ideal for both ICT and industrial control applications, as well addressing critical infrastructure projects that must combine the two disciplines (ICT+ICS) in one large system of systems.

The TruSIP initiative addresses security threats and confidentiality and trust issues from both the cloud service provider, and end user perspectives, even in the case where an unknown malware is present.  The unique benefits of this project will also flow to private cloud systems, making them also more resilient, for example against a wide range of insider attacks (attacks originating inside the hardware, operating systems, trusted staff and administrators).

end faq

Proposal

Synaptic Labs' TruSIP vision

The creation of a universally trustworthy and dependable computing platform suitable for hosting mission critical operations.  This platform should uniformly deliver unprecedented confidentiality, integrity, availability, reliability, safety and authenticity assurances for all stakeholders against continuous and evolving insider and outsider attacks (i.e. all malicious actors), in a way that is credible and can be audited.  This platform will address covert storage channel attacks, covert timing channel attacks and many other forms of side-channel attack.  Furthermore this platform should facilitate business continuity in the face of natural or man made physical disasters.

Achieving this vision

We have taken a clean-slate approach to trustworthy and dependable computing.

Synaptic Labs' solution synergistically combines high-availability techniques found in aerospace, safety techniques found in critical infrastructure, survivability techniques employed by biological systems and modern information security techniques in a cost-effective design intended to leverage economies of scale.

We achieve secure computing for all stakeholders:

  • using commercial off the shelf (COTS) hardware and operating systems often found in public and private cloud infrastructure, where each component is managed in a particular way; and
  • by enabling programs running in the cloud computers to exploit our infrastructure and management design.

Synaptic Labs' unique-value-propositions

Synaptic Labs' Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP):

  • has been designed from the ground up as a cryptographic project
  • addresses identity management and access controls from the onset by integrating with Synaptic Labs' IdM-CKM project
  • an intrusion and malware resistant design:
    • offers unprecedented assurances for all stakeholders with regard to confidentiality, integrity and availability against broad classes of both insider and outsider attacks, even when the attack (known or unknown) successfully compromises one component  
    • comprehensively addresses the currently hard problems of ensuring client data confidentiality in public clouds, even in the face of a dormant and currently undetected compromise of a component (malware injection, inbuilt backdoors, ...).
    • addresses covert storage channel attacks and covert timing channel attacks
    • addresses a wide range of side-channel attacks including cache-timing attacks
    • provides the client the option to to protect their software against attacks mounted by a rogue software developer when the application is hosted on the cloud platform
  • the system, taken as a whole, delivers assurance of critical data controls for clients (Governance) in cloud environments that cannot be achieved today by other cloud offerings
  • the platform has been designed for both IT and ICS applications.

With regard to insider attacks we explicitly address a wide range of attacks that can be mounted by the public cloud provider or its trusted staff or suppliers including in the software and hardware used to provision services by that cloud provider.  Stated in another way, we believe Synaptic Labs' intrusion resistant designs are capable of preventing sensitive client information entrusted to the cloud from being leaked as a result of weakness, malware or back-doors in any software or hardware component used server-side.

Instead of creating targeted defences against single threats (such as a specific virus) TruSIP will be designed to address whole classes of security attacks (e.g. all viruses) at the design level.  It will be designed to remain operational in the face of Unpredictable, Unobserved or Unobservable Risks (UUUR).  TruSIP will employ survival strategies at the system level that find alternative methods for completing all transactions and by automatically repairing resources corrupted by attack.  A distinctive feature of TruSIP is that it will be generally capable of preventing sensitive information being leaked as a result of malware or a wide range of insider attack.  This makes it particularly suitable for financial transaction processing, medical and health systems, cryptographic key management and any application where sensitive information is entrusted to computing systems.

The TruSIP can be built using commercial-off-the-shelf hardware, operating systems and programming languages.  In principle, the TruSIP can host applications written in any programming language.

Cost Effectiveness

The Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) design offers the world's most cost effective approach to achieving confidentiality against the service provider and insider attacks, with computational costs that are comparable with existing high-availability solutions.

To place Synaptic Labs' results in context, we need to briefly summarise the performance of our nearest competitor. In 2009, Craig Gentry proposed the first fully homomorphic encryption scheme which permits any number of calculations to be performed on encrypted data by a server for the benefit of the client. Gentry estimates that performing a Google search process with encrypted keywords would multiply the necessary computing time by around 1 trillion times using his technique. The U.S. Defense Advanced Research Projects Agency (DARPA) plans to spend USD $20 million over 5 years to reduce the computing time for fully homomorphic encryption by a factor of 10 million compared to its current state, with a target of achieving only 100,000 times the computation required for unencrypted computing.

By way of comparison, TruSIP has secure configurations with computational costs on the order of only 2.5x to 3.5x the cost of low-assurance unsecured computing solutions.  TruSIP's costs vary depending on the level of confidentiality-integrity-availability requirements. These computational costs are highly competitive with other fault-tolerant high-availability/mission critical business systems that do not offer any confidentiality protection against insider attacks.   This positions TruSIP as a commercially relevant design proposal that addresses needs unmet by any other product or proposal in the public literature. 

Elements in the design

The Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) provides a secure platform for running applications remotely installed by a client.

The design addresses the systems level, requiring only the use of commercial off the shelf (COTS) hardware and a small amount of proprietary software, all organized in an innovative configuration that provides greater confidentiality, integrity and availability to all cloud stakeholders.  Synaptic Labs' proposal includes specific strategies for managing the hardware and software on the server side.  Clients will use two-factor authentication methods to access the cloud to prevent account and service hijacking.

Applications remotely installed by the client will be adapted to exploit Synaptic Labs' architecture model.

    Phase 1: TruSIP in Software - Support for Smart cards and HSM

    Implement all the essential functions of Synaptic Labs' Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) for running in smart cards and hardware security modules. This phase will focus on the critical security and integrity features of the platform. TruSIP on smart cards will be used to enable two factor identification and authentication tokens.

    Phase 1: FPGA - Boutique services for ICT + ICS

    Implement all the essential functions of Synaptic Labs' Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) for running a boutique range of programs and services on Field Programable Gate Array (FPGA) chips. This phase will focus on the critical security and integrity features of the platform.

    Example end-user applications that can run on the phase 1 platform will include Synaptic Labs' IdM-CKM project and Synaptic Labs' bank-card transaction platform.

    Drawing on the work done in Synaptic Labs' Secure Real-time Revolution, TruSIP will also be able to host general purpose web applications written in Java.  Examples include Oracle's Java Web Application Archive standard and the Google App Engine, a Java based cloud platform offered by Google.  The objective is to enable existing applications that run on those platforms to run on and gain the security benefits of Synaptic Labs' Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP).

    Phase 2: ASIC (3-D IC) - Mass commodity markets ready

    Enhance the Phase 1 platform and implement in high performance 3-D integrated circuits.  This will reduce the cost of each device and result in dramatic improvements in computing power.  We will initially target two types of chip: 1) a general purpose computing chip suitable for most markets including workstations, and private + public clouds, and 2) a specialised low cost chip for use in embedded micro and industrial control markets.

    In this phase we will work towards enabling end-to-end security by creating secure client workstations that adapt real-time operating systems to run on TruSIP, and adapting TruSIP hardware to drive a desktop monitor.  

    Enhanced availability and survivability

    Phases 1, and 2 focus on achieving the critical security and integrity features of the platform with support for some standard availability and survivability features.  During any phase, when desired, the project scope can be expanded to comprehensively address 'availability' (maintaining service delivery in the face of arbitrary component failure) and 'survivability' (adapting the platform real-time to remove exposure to currently active attacks).  We anticipate that programs originally written to achieve the security and integrity features will also be able to exploit the enhanced availability and survivability features with little to no modifications.

    end faq

    Related ICT Gozo Malta proposals that employ TruSIP:

    Resources:

     

    cloud_server

    Recent News!

    Prev Next

    ICT Gozo Malta Project wins National Ent…

    26 Apr 2012

    ICT Gozo Malta Project wins National Enterprise Award

    The ICT Gozo Project co-founded by The Gozo Business Chamber and Synaptic Laboratories Ltd were joint winners of a 20,000 Euro prize in the National Enterprise Support Awards 2011, an event sponsored by Government of Malta and the European Commission,...

    Read more

    Synaptic Laboratories Ltd. to represent …

    26 Apr 2012

    Synaptic Laboratories Ltd. to represent ICT Gozo Malta Project, and also to present at, the Dubrovnik Nuclear Threats and Security Conference 2012

    The activities of the ICT Gozo Malta Project and Synaptic Laboratories continue to draw international attention, resulting in invitations to provide expert speakers at leading scientific events.  Recently Synaptic Laboratories Ltd., as ICT GM co-founders and project designers, were contacted by...

    Read more

    Cyber Security and Awareness Seminar

    28 Nov 2011

    Cyber Security and Awareness Seminar

    On the 23rd November 2011 we held a unique Cyber Security and Awareness Seminar, targeted to all groups and held at MITA’s offices, who also sponsored the event.  Entrence was free with complimentary refreshments.  The seminar was organised by ICT Gozo Malta...

    Read more

    News:Cyber Security Seminar

    16 Nov 2011

    News:Cyber Security Seminar

    Cyber Security Seminar ICT Gozo Malta and BCS Malta to organize International Cyber Security Seminar with bi-directional links to Brazil’s Annual Security Leaders Congress and world leading security experts. An International Cyber Security Seminar will be held at MITA’s Offices on Wednesday...

    Read more

    News: Participation in Brasil Security L…

    04 Nov 2011

    News: Participation in Brasil Security Leaders Congress

    Synaptic Laboratories' Chief Technical Officer Benjamin Gittins has been invited to participate in the Annual Brasil Security Leaders Congress on the 23 Nov. 2011.  This 2 day Congress is attended by some 300 CEO/CIO/CTO level executives from public and industry...

    Read more

    News: Gozo may have it's own Silicon Val…

    27 Oct 2011

    News: Gozo may have it's own Silicon Valley

    Just the moment you start reading this article, a new technology has been invented, produced, tested or used. Technologies took over the way we communicate, think, travel or learn and it has infiltrated  human lives in a manner that no...

    Read more

    News: ICT Gozo Malta Launch

    12 Aug 2011

    News: ICT Gozo Malta Launch

     Official launch of ICT Gozo Malta Project Click on image to view Launch videosWe are pleased to announce that on 5th AUGUST  2011, the ICT Gozo Malta Project was formally launched by the Hon. Giovanna Debono, Minister for Gozo. Speakers also...

    Read more

    News: Government Funding for Project

    25 Apr 2011

    News: Government Funding for Project

    The Government of Malta has provided funding, through the Eco-Gozo initiative, to launch Phase 1 of the ICT Gozo Malta Project. Contract Signing Ceremony   with the Honourable Giovanna Debono, Minister for Gozo. 

    Read more

    News: Malta Chamber participation

    04 Mar 2011

    News: Malta Chamber participation

    The Malta Chamber of Commerce, Enterprise and Industry have added their weight and support to this project, recently confirming their participation and collaboration.

    Read more

    News: Malta Enterprise support initiativ…

    24 Feb 2011

    News: Malta Enterprise support initiative

    Malta Enterprise express support for the ICT Cluster initiative in Gozo.  Tasked with assisting networks to develop further into business clusters, Malta Enterprise supports this initiative

    Read more

    News: MITA participation and support

    20 Jan 2011

    News: MITA participation and support

    The Government's Malta Information Technology Agency (MITA) recently expressed clear support for the ICT Gozo Malta project confirming their participation in the project to identify common goals and potential areas of collaboration.

    Read more

    News: Brazilian Banking Expertise

    22 Nov 2010

    News: Brazilian Banking Expertise

    Brazilian banking security expert Professor Fabian Martins will assist ICT Gozo Malta to develop its members global cyber security solution suited to the credit card market.

    Read more
    GBC1 SLL-Logo_150  A Collaborative Project co founded by
    The Gozo Business Chamber and
    Synaptic Laboratories Ltd

    Eco Gozo Logo

    Eco-Gozo – a Better Gozo Action Plan 2010 – 2012
    Project part-financed by the Government of Malta - Ministry for Gozo
    www.eco-gozo.com

    feedback
    feedback
    feedback