Improving Available Tooling for Conducting Security Research Against Critical Infrastructure

Abstract

One of the great ironies in systems security is the fact that the most critical components that make day-to-day life possible across the world are also some of the most poorly designed and defended. This is due to a myriad of reasons, but can generally be boiled down to: * Vendors must first provide operational functionality and thus security comes as an afterthought, if considered at all * Manufacturers and developers do not invest time in trying to understand what new tools, techniques, and research results are available that can contribute to the security posture of their systems * Lack of available technical personnel with required skill sets, exacerbated by an incredibly high barrier to entry for new personnel looking to become experts in this space * Unwillingness of vendors and manufacturers to provide systems insight due to fear of bad publicity * General lack of urgency due to incorrect perception that high-profile hacks (Sony, Atlanta, Equifax) that drive news cycles are more deserving of attention than critical infrastructure issues The reality is that while the hacks that can be read about in the news are unfortunate, they are generally fiscal inconveniences for the affected rather than life-or-death events. This proposal seeks to make critical infrastructure a first-class citizen in the realm of cyber security and to help ensure that we never have to find out what happens when a determined adversary launches a serious attack against global infrastructure. The vast majority of security researchers (those who make a living off of finding bugs/vulnerabilities either as an independent consultant or as a member of an internal team) focus on traditional, i386/amd64 ISA, enterprise IT platforms as targets for their work. The reasons for this are obvious - the systems are ubiquitous, existing research is plentiful and widely accessible, supported symbolic execution and fuzzing tools are abundant, and you can get started as a new learner for a few hundred dollars. Critical infrastructure is not any of these things. They run on esoteric architectures (arm, ppc, power, mips, sparc, cris, blackfin, etc.) that are poorly documented (if at all), were designed by companies who have since gone out of business, are extraordinarily expensive to acquire, and typically require several NDAs to even get a look at any relevant source or engineering resources if you can manage to find an original manufacturer at all. Even the generally healthy and well supported qemu project that can emulate some of these systems can be painful to use. Non-x86 ISAs in the qemu project receive an order of magnitude less development attention and can be extremely difficult to configure correctly, making one of the most potentially useful tools in a security researchers toolbelt significantly less useful. Additionally, no cloud infrastructures natively support orchestration using qemu when the host ISA doesn t match the guest ISA, making techniques like distributed fuzzing significantly more difficult. The Georgia Cyber Center proposes the following activities to address these shortcomings: 1. Ensure that libvirt no longer assumes that the host ISA = the guest ISA and will intelligently choose the qemu binary based on the reported architecture of a given image 2. Ensure that the widely-used and open-source OpenStack project can take advantage of the improvements in qemu and libvirt 3. Ensure that the contributions are designed in accordance with the respective project design guidelines so that they are supportable and may be maintained by their respective communities for years to come The above three goals with be achieved by submitting upstream code contributions to qemu, libvirt, OpenStack Nova, OpenStack Glance, and OpenStack Tempest. All products created with the grant will have an open source license (Apache 2.0) and be freely available for use.

Document Details

Document Type

DoD Grant Award

Publication Date

Oct 22, 2020

Source ID

W911NF2010345

Entities

Tags