Platform Security Summit 2019
Oct 1-3, 2019 · Redmond, WA

“Give me a place to stand on,
and I will move the earth.”

—Archimedes

PSEC 2019 brings together security architects, researchers and developers from the ecosystems of hyperscalers, service operators, product vendors, academia and open-source.

While software eats hardware and the world, Conway’s Law (1967) states:

organizations which design [software] systems … are constrained to produce designs which are copies of the communication structures of these organizations.

If attackers are not so constrained, how can defenders improve the resilience of org-influenced software? Multi-domain software defense requires multi-domain analysis, integration and verification.

PSEC 2019 enables hardware/firmware engineers, VMM/OS developers, architects, integrators, verifiers and senior technical staff to collaborate on hardware-assisted platform security and composable software supply chain integrity, from edge to cloud.


Sponsors




Agenda

There will be a single track of presentations, Tue Oct 1st - Thu Oct 3rd, 2019.

For tickets and event logistics, please click here for the Program page.



Presentations

(2019-09-20 revision)

H A R D W A R E

Guarding Against Physical Attacks: The Xbox One Story

Tony Chen
Microsoft

Every game console since the first Atari was more or less designed to prevent the piracy of games and yet every single game console has been successfully modified to enable piracy. However, this trend has come to an end. Both the Xbox One and the PS4 have now been on the market for close to 6 years, without hackers being able to crack the system to enable piracy or cheating. This is the first time in history that game consoles have lasted this long without being cracked to enable piracy.

In this talk, we will discuss how we achieved this for the Xbox One. We will first describe the Xbox security design goals and why it needs to guard against hardware attacks, followed by descriptions of the hardware and software architecture to keep the Xbox secure. This includes details about the custom SoC we built with AMD and how we addressed the fact that all data read from flash, the hard drive, and even DRAM cannot be trusted. We will also discuss the corresponding software changes we made to keep the system and the games secure.

PIPE: Hardware Acceleration for Efficient Enforcement of Software-defined Security Policies

Chris Casinghino
Charles Stark Draper Laboratory

Hardware security mechanisms have struggled to keep up with rapidly changing attacks. Hardware is time-consuming to design, and its fixed nature makes it challenging to adapt to new threats. Modern tagged architectures solve this problem by enforcing general software-defined security policies. Policies define what information is stored in the tags and what rules the architecture enforces relative to this information (e.g., data tagged as confidential should not be sent over the network).

Draper’s PIPE, Processor Interlocks for Policy Enforcement, is a general-purpose hardware security architecture that accelerates policy enforcement. The PIPE maintains metadata tags for every CPU register and memory word, and monitors policies on a per-instruction basis. In this talk, we give an overview of the PIPE architecture and illustrate the wide range of security policies it can enforce (e.g., memory safety, CFI, and confidentiality). We also present our open-source tools for developing policies and simulating PIPE, as well as ongoing research including support for the seL4 verified operating system.

CHERI: Architectural Support for Memory Protection and Compartmentalization

John Baldwin
Ararat River Consulting, LLC

Capability Hardware Enhanced RISC Instructions (CHERI) extend conventional RISC architectures with support for capabilities – pointers whose integrity, provenance validity, and monotonicity are protected by the hardware, and extended with protection metadata such as bounds, permissions, and encapsulation. This low-level primitive is a foundation on which a broad range of software protection properties can be built and incrementally deployed: fine-grained, referential memory protection for C/C++-language programs, protections against control-flow attacks such as ROP and JOP, prevention of pointer privilege escalation, granular and efficient in-address-space isolation and software compartmentalization, and safe interoperation between managed languages and native-code extensions.

This talk will begin with a brief introduction to the CHERI architecture (ongoing joint work at SRI International and the University of Cambridge). It will then present our recent work on CheriABI, a FreeBSD-based memory-safe UNIX process environment built over pure-capability CHERI C/C++. In this environment, code is compiled so that all pointers, explicit and implied, are implemented using CHERI capabilities. We explore the implications for operating-system design, the impact on C-language compatibility, the protection offered, and the performance implications. We will conclude by reviewing ongoing efforts to apply CHERI to other architectures.

Software Architecture for Rich IoT Hardware Security with Corstone-700

Tushar Khandelwal
Arm

Arm’s Corstone-700 foundation IP offers a flexible subsystem and system IP to help build secure SoCs for rich IoT nodes, gateways, and embedded applications. A flexible compute architecture combines Cortex-A (Linux host OS) and Cortex-M (real-time OS) processors, with expansion for sensors, connectivity, video, audio, and machine learning at the edge.

Corstone-700 has benefited from collaboration between Arm and Microsoft to bring security to IoT devices, featuring critical elements like control from a secure enclave, TrustZone or firewalls that authenticate and filter accesses to different regions of the SoC system address space.

Arm Platform Security Architecture (PSA) is a best practices framework for securing a trillion connected devices, with support for threat assessment, security architecture, open-source firmware implementations, and product certification. Corstone-700 adheres to Arm PSA.

This presentation will focus on the open-source software implications for these emerging devices. Topics include:

  • Hardware security
  • Inter-processor communication frameworks
  • Platform Security Architecture - PSA
  • Software components and architecture
  • Secure boot
  • Yocto/OpenEmbedded recipes for software build & configuration
Purpose-built architectures with RISC-V and Xvisor

Alistair Francis
Western Digital

Purpose-built architectures for Big Data (cloud core) and Fast Data (IoT edge) require a new type of processor — one that is open, configurable and scales for data-centric applications. Meanwhile, the growth in data and connected devices has been matched by attacker interest. In pursuit of resilience, defenders have increased firmware and TCB transparency. Hardware resilience can be improved by FPGAs, with open toolchains and components.

RISC-V (risk-five) is an open Instruction Set Architecture (ISA) that enables collaborative design of open, purpose-built CPUs and EDA tools. The RISC-V Virtualisation extension (H-Extension) adds ISA support for hardware-assisted hypervisors. H-Extension makes minor additions to the ratified base ISA and privileged architecture specification, while maintaining security and increasing performance. We will discuss these ISA additions and their implementation in the QEMU machine emulator.

Xvisor is an open-source (GPLv2) bare-metal hypervisor and the first to be ported to RISC-V and use H-Extension. Xvisor is small and lightweight with a range of useful features. It has no dependency on Linux, allowing it to target smaller footprint hardware than other hypervisors. We will discuss Xvisor in the context of RISC-V and well-known CPU architectures, including performance and security considerations.

DMTF: End-to-End Infrastructure Security using the Security Protocol and Data Model (SPDM)

Jeff Plank
Microchip

Securing the operational state of embedded components has become an ever increasing topic among the industry. Much of the industry has secured the platforms upon which they operate but the embedded components have become the next bastion of enforcing a security model. Many of the devices have now incorporated concepts of secure boot and active attestation (measurement) of the device state. Secure communication of the measurement of the hardware and firmware states of active components in the server has become the next problem to solve.

In this talk, we will cover the latest proposed security protocols coming from the DMTF for the communication of authentication credentials and attestation states of MCTP enabled discrete device. Trusted reporting enables a central trust process to perform corrective action when necessary and to confirm the integrity of the platform. Both the current work in progress SPDM 1.0 specification will be covered as well as a preview of the work in progress materials for SPDM 1.1.

All DMTF specific materials presented will be limited to publically available content as required by the DMTF disclosure agreement.

H U M A N S

Growing Risks in the Software Supply Chain

Mark Sherman
Software Engineering Institute/CERT, Carnegie Mellon University

Today’s software is largely assembled rather than written, and most of the assembly comes from open source components. The creation of components and their inclusion into applications creates a “supply chain” just like in conventional manufacturing. While physical supply chains have well established chains-of-custody to establish properties like refrigeration maintenance, authenticity or spoilage avoidance, the software supply chain is very much a wild, wild west, filled with vulnerabilities that can be (and are) inadvertently inserted into applications.

As supply chain risk and mitigations are being explored by government and academia, a larger attack surface is being uncovered that needs to be addressed. This presentation describes the parts of the software supply chain, how vulnerabilities have been introduced, the growing attack surface from new methods of building and distributing software, and the actions that developers can employ to avoid or mitigate the risks inherent in an assembly-based software development strategy.

Trends in Server Platform Security

Rob Wood
NCC Group

Servers are no longer deployed solely within security controlled data centres. For a variety of reasons, such as network latency, servers are often deployed within the networks of low-cost third party cloud providers and foreign ISP data centres. The physical security of these data centres is outside of the server operator’s direct control. Additionally, while supply chain attacks have always been a threat, they have recently been in the news as an increasingly visible concern. The deployment and supply chain realities need to be accompanied by an expansion of threat models which must now include local attacks against the hardware and firmware.

This is the realm below the operating system and hypervisors, where hardware and firmware provide the foundational security of the platform. We will discuss the common architectural shortcomings with current server security solutions as they fail to meet the physical security needs of today. We will also discuss in detail some common vulnerability classes that we see every day in servers covering the range of firmware, circuit, silicon and supply chain. Finally, we will touch on some recent advances, and guidance that you, your equipment vendors, and firmware providers can look to, in order to help ensure that your data remains secure.

The Road to Safety Certification: How the Xen Project is Making Progress

Lars Kurth
Citrix

Safety certification is an essential requirement for software that will be used in highly regulated industries. The Xen Project, a stable and secure hypervisor that is used in many different markets, has been exploring the feasibility of building safety-certified products on Xen for the last year, looking at key aspects of its code base and development practices.

In this session, we will lay out the motivation and challenges of making safety certification achievable with open source and the Xen Project. We will outline the process the project has followed thus far and highlight lessons learned along the way. The talk will cover technical enablers, necessary process and tooling changes, and community challenges. Safety certification for commercial software based on an open-source hypervisor is an exciting and challenging goal.

P L A T F O R M S

Advancing Windows Security

David Weston
Microsoft

Windows is the operating system and application platform that powers hundreds of millions of customers, enterprises, and core infrastructure globally. In order to remain resilient in a constantly evolving threat landscape, the OS security engineering team at Microsoft has built a strategy to address new and challenging attacks. This talk will walk attendees through Windows current and future security strategy and the engineering challenges with scaling across new devices, form factors, and threat models from client to the intelligent edge and cloud.

Trustworthy Cloud Platforms

Brian Payne
Oracle

More than 15 years since the infamous “Trustworthy Computing memo”, the industry still lacks a widely-available general compute platform that delivers on the vision set forth at that time. A lot of progress has been made, but overall platform trustworthiness is still difficult to quantify, for even the most savvy security professionals.

Meanwhile, trends in enterprise computing created the cloud and cloud providers, operating at previously unthinkable scale. Moving sensitive data and workloads to the cloud can be a leap of faith for many customers and so cloud providers are eager to offer the type of assurance promised by trusted computing technologies.

So why aren’t today’s trusted computing technologies deployed widely across the cloud? In this talk, we’ll share our perspective and some of the challenges we face as we strive to deliver verifiably trustworthy cloud platforms for OCI and its customers.

Complexity Everywhere: is it time to step back and rethink our platforms?

Marek Marczykowski-Górecki
Invisible Things Lab

Our platforms are unbelievably complex, with more and more parts having the potential to take full control over the platform. This includes all kinds of firmware (UEFI, critical devices’ firmware), auxiliary processors (e.g. Intel ME, AMD PSP), hypervisors, kernels, etc.

Many ongoing efforts are about validating that such components are genuine. This allows detection of malware trying to persist in a component, but does not solve other potential problems — e.g. an intentionally malicious component, or runtime attacks on a bug-prone component.

Should we take a step back and try to simplify our platforms, so we have much fewer moving parts in the Trusted Computing Base (TCB)? In this talk, the author will explore which parts of an abstract platform absolutely need to be trusted and what properties they should have. Then, with those requirements as an input, he will present ideas on how we can make such a platform a reality.

A Renaissance of Trust: Architecting the Hardened Access Terminal (HAT)

Daniel Smith
Apertus Solutions

There is growing interest in platform security with the visibility of Zero Trust and Beyond Corp. While terminology and technology have evolved, the situation and underlying concepts are exactly the same as Dorothy Denning described in her 1979 paper “Secure Personal Computing in an Insecure Network”. This is but one example of the tremendous body of work starting in the late 1960s, carrying through the 1970s and 1980s, that studied the problem space.

The Hardened Access Terminal (HAT) is an open source reference architecture that embodies a revival of this tremendous body of intellectual thought, reborn through modern technology. This talk will walk through select works drawing corollaries to their modern problem space and how they contribute to the HAT architecture. The talk will conclude with a full introduction to the HAT architecture, which may be implemented with open source components, proprietary components, or a combination of the two.

Virtualizing Arm in the Cloud and at the Edge with VMware

Ye Li
VMware

Arm-based systems are becoming important in a number of new and critical market segments, such as IoT/edge compute, edge NFV, and cloud. This session will go over the market opportunities, where Arm-based technologies have an impact, and describe what VMware is doing to address these new challenges with the VMware ESXi hypervisor for 64-bit Arm platforms.

Edge Virtualization Engine (EVE)

Roman Shaposhnik
ZEDEDA

IoT device mesh fabrics can deploy real-time, cloud-native applications at hyperscale. Edge Computing brings what’s great about Cloud Computing (developer friendly APIs and Software-Defined Everything) to the harsh physical environment and security architectures of IoT and IIoT deployments. For security (physical, network, application), Edge is closer to the mobile computing industry than its datacenter roots.

In this talk we will present a novel, secure-by-design Edge Computing platform created at ZEDEDA Inc. and later used as a founding project for the Linux Foundation’s LF Edge initiative. This special purpose, open-source operating environment aims to run securely on billions of ARM and x86 devices. EVE (Edge Virtualization Engine) aims to become to Edge Computing what Android has become to Mobile computing.

We will walk you through the unique security challenges of EVE, with inspiration from Android and iOS mobile computing requirements, such as tamper resistance and hardware root of trust, protecting applications with virtualized secure elements and built-in crypto-routed mesh networking.

The talk will conclude by explaining how EVE fits into its umbrella organization LF Edge, and how approaches developed by EVE can be embraced by other projects in the foundation.

B O O T   I N T E G R I T Y

Who's in your firmware, and why should you care?

Roger Thompson
TCSL Research LLC

This presentation enumerates threats known to exist in some versions of the Unified Extensible Firmware Interface, and discusses other items perhaps best described as “Not Yet ‘threats per se’, But Should Be Kept In Mind”.

The author describes himself as a first-generation anti-virus guy, who is quite sure that the next malware battleground is below the OS… in the firmware. He formed his current business, TCSL Research LLC, in 2016, to study issues with the firmware.

The Evolution of Advanced Threats: REsearchers Arms Race

Alex Matrosov
Nvidia

The evolution in defensive software is really connected to the evolution of the modern threat landscape. Each new iteration of evolution is focused on covering specific gaps in detection methods or data collection algorithms. The main direction of advanced threats like rootkits or bootkits has been to gain persistence methods to be closer to firmware and hardware levels. While modern operating systems are building mitigations to increase the cost of exploitation and malware persistence, advanced threat actors are already looking ahead for the next-lowest level of persistence.

This talk will look through the evolutionary prism of advanced threats, at the evolution—or lack of evolution—of tools for forensics and reverse engineering. During the talk, we will delve into modern platform security gaps, seeking solutions to improve auditing visibility and prevent advanced threat actors from gaining a foothold in platform levels where security sensors do not exist.

LinuxBoot progress: boot anything from Linux

Chris Koch
Google

Secure systems are founded on open, auditable, and well-tested firmware. LinuxBoot replaces traditionally closed source firmware (e.g. UEFI) with an open, auditable, and measurable Linux kernel and initramfs. We’ll present an overview of LinuxBoot, its part in the boot integrity story, and talk about newly gained abilities to boot VMware, Xen, and Windows from Linux, and future plans. We’ll also discuss how this work is being deployed in commercial data centers, and in embedded environments such as coreboot, u-boot, and SlimBoot.

System Transparency

Kai Michaelis
9elements Cyber Security

The ever increasing usage of cloud-based software forces us to face old questions about the trustworthiness of our software. While FLOSS allows us to trust software running on our platforms, System Transparency establishes the same level of trust in SaaS and IaaS scenarios.

System Transparency accomplishes this by combining FLOSS firmware, 3rd party transparency logs and novel use of Trusted Computing technologies. This talk introduces System Transparency and details the platform security features we implemented as part of our reference system:

  • Coreboot support for SuperMicro X11SSH-TF, a modern x86 server mainboard.
  • An improved measured boot implementation in coreboot that provides more detailed measurements for vendor blobs like Intel ME.
  • Intel TXT support in coreboot. The initial boot block of coreboot is now measured into the TPM before it is executed by the CPU. Additionally, operating systems booted after coreboot can now be started in a Measured Launch Environment.

The talk will also describe our reference implementations’ custom bootloader based on LinuxBoot. It verifies that boot artifacts are signed by the platform owner and are in the transparency log before continuing. This makes sure that 3rd parties can audit past and present artifacts booted on the platform.

Improving the platform firmware update ecosystem

Vincent Zimmer
Intel Corporation

As the rich capabilities of platforms increase, so does their complexity. As hypervisors and operating systems harden their attack surfaces, malware has been moving deeper into the platform. For example, a modern laptop may have over 15 updatable firmware elements, each with low-level access to a specific hardware domain. In order to provide security guarantees for platform firmware, the servicing model of the platform takes center stage.

This session discusses the evolution of platform servicing using examples based on device firmware, non-host/system on a chip (SOC) firmware, and implementation of the Unified Extensible Firmware Interface (UEFI). A modern servicing model features elements for component-based update, resiliency in case unexpected conditions, a more seamless user experience, lowering the friction of update integration, and telemetry for a view into platform health and firmware inventory. Important aspects of this work include a code-first approach using elements from the TianoCore open source community. Host Firmware is an integral ingredient of platforms at Intel. From the early days of proprietary BIOS in the 1980’s and 1990’s, to the world of standards in the 2000’s, to the post-PC world of the last few years, the nature of firmware has changed.

This talk will discuss current trends in standards such as UEFI and associated EDKII firmware, other communities like coreboot, and common denominators like the Intel® Firmware Support Package. For the enterprise, open-source server host firmware and the Open Compute Project (OCP) Open System Firmware (OSF) efforts will also be described, including the recent publication of Min Platform. The talk will also touch on emerging solutions, challenges and market opportunities for more seamless enablement of Intel Architecture.

Less-Insecure Network Edge Virtualization with Low Size, Weight and Power

Piotr Król
3mdeb Embedded Systems Consulting

Modern practices for building less-insecure systems leverage virtualization, for isolation properties and flexible support of narrow component interfaces. The Trusted Platform Module (TPM), an IC for critical cryptographic functions, is now more usable by OSS software. TPMs provide a Root of Trust for Dynamic (DRTM) and Static (SRTM) measurements for platform integrity.

These are supported by the apu2, a reliable, Low-SWaP x86 device from Swiss OEM PC Engines. Usable as SOHO firewall or industrial edge device, it has nearly-open hardware, coreboot firmware, mPCIe extensibility and an extended support lifecyle for the embedded CPU and motherboard.

Both SRTM and DRTM (AMD SKINIT) are supported on PC Engines apu platforms. The TrenchBoot framework uses these to verify launch integrity, before booting the Xen Type-1 hypervisor, built with the meta-virtualization and meta-measured layers of OpenEmbedded/Yocto.

We will show SRTM via coreboot, DRTM via AMD SKINIT in TrenchBoot, a complete Chain of Trust for the Xen hypervisor, and a virtual firewall appliance isolated by IOMMU from the physical NIC devices. We will present benchmark data for virtualization overhead, explain how this complexity can still be practical, and the value provided by this stack.

Accessible Security: deploying Qubes reasonably secured OS on slightly more secured hardware. An OEM approach to transferring device and secrets ownership

Thierry Laurion
Insurgo Open Technologies

As security professionals, we know nothing is fully secure. Qubes OS modestly refers to itself as a “reasonably secured OS”. If security is so hard for professionals, how can the rest of the world benefit from our cutting edge developments, when they can’t read code or flash ROMs?

Our end goal is to provide individuals with access to the state of the art in security research, without requiring them to read source code for hours or to become security researchers. In pursuit of this goal, we have contributed to upstream open-source projects, winning an NLnet grant to improve accessibility and integration.

In this talk we will present our approach to preinstalling Qubes’ “reasonably secured OS” on what we call “slightly more secured hardware”, benefiting from Heads, me_cleaner and coreboot, among other open-source security projects.

Topics we will cover are:

  • Importance of binary-free firmware in establishing a static root of trust with a TPM and smartcard: Transit tamper evidence, provable security and device re-ownership.
  • User-controlled hardware, responsibility, empowerment and support.
  • Compartmentalization, hardware requirements and binary blobs status quo.
  • The FSF RYF gap: Neutered ME (BUP), Deactivated ME (HAP), Deleted ME (GM45) vocabulary importance.
  • Future platforms, challenges and limitations.



M E D I A   P A R T N E R S

The Trusted Computing Group (TCG) is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry specifications and standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms. TCG’s core technologies include specifications and standards for the Trusted Platform Module (TPM), Trusted Network Communications (TNC) and network security and self-encrypting drives. TCG also has work groups to extend core concepts of trust into cloud security, virtualization and other platforms and computing services, from the enterprise to the Internet of Things.




Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

Xen Project is a trademark of the Linux Foundation.