We continue discussing the paper "Shielding applications from an untrusted cloud with Haven,” written by Andrew Baumann, Marcus Peinado, and Galen Hunt.  We discussed SGX optimizations that could be attempted in newer releases but were found in the study by the authors. We continue to review the SGX hardware notes in the paper. We were reviewing shielded VMs. Now we look at shielding without information leakage. The intermediate state of Haven is saved in encrypted form on disk so that the host does not know. But SGX shares information with the host such as exceptions and page faults. This becomes necessary for dynamic management of resources.Had they been static, the host need not observe guest states. Faulting addresses are important for the OS to use proper page replacement algorithm to manage physical memory. The OS multiplexes resources over varying demands from the application.
This can still work with shielded execution. Just the role of the resource manager needs to change. Presently the resource manager determines the quantity of resources such as the number of physical pages to allocate with the selection of specific resources namely the virtual to physical mapping. The authors say that if these were decoupled, it would give the host control only over resource quantities and allow the guest to choose specific resources to release when the allocations change. For example, memory would be managed by allocating physical pages in the host, but allow the guest to control its virtual mappings, and use self-paging to permit over-subscription. The host may ask a guest to release pages or release it all. The hardware could also support cache partitioning and discriminate the cache as similar to coloring or tagging the pages. This does not restrain physical allocations and the cache can be flushed and repartitioned. This therefore does not leak the guest state.
There are other kind of hardware that also support such security. Hardware security modules (HSM) are one such. They are used to protect high-value secrets such as keys in the cloud.  An HSM is a computing element that is tamperproof because it uses a physical barrier and a self destruct mechanism to erase data when the barrier is compromised. AWS offers this module and there are APIs for key manipulation, signing and encryption. As a result the cloud users keys are protected but other data must still be transiently decrypted in a general purpose node in order to use it. This reduces the attack surface but does not eliminate it when compared to storing data in the clear. Since it involves a dedicated hardware, HSMs are expensive.

We continue discussing the paper "Shielding applications from an untrusted cloud with Haven,” written by Andrew Baumann, Marcus Peinado, and Galen Hunt.  We discussed SGX optimizations that could be attempted in newer releases but were found in the study by the authors. We continue to review the SGX hardware notes in the paper. SGX is the first commodity hardware that permits efficient multiplexing among multiple isolated programs without relying on trusted software. But while SGX is isolating the virtual address space, it would be even more inclusive to isolate full virtual machines. There are several benefits to this. First the operating system will be included altogether and this expands the capabilities significantly. By supporting a complete guest operating system, we can have more than one processes in stead of isolating a portion of user address as we do today. Though this comes with a huge trade off of surface area increase for vulnerabilities but it is not the same as Type II hypervisors today because we are in fact encrypting and redefining the trusted computing base. The fundamental assumption that the host is untrusted can be expanded and used in different contexts which leads to more challenges to solve in building such hardware. For example, this involves multiple levels of address translation, privileged instructions and virtual devices. Since the assumption is the same, the architecture in the shield module would apply at this scope and level as well. Let us take the example of virtual or pseudo devices. Whether the device isolates itself depends on whether it is communicating across the interface we want to protect.Virtualization makes it easy to port because it is no longer bound to physical resources but even a virtual device needs to be shielded when it is communicating across the trust boundary. Virtual resources can enable multiplexing  over the same physical resources. It is not that all the devices need to be shielded so some can be grouped together for isolation. Encryption-decryption and the ability to resume from a saved state is key to implementing this solution. The design is based on the principle of policy/mechanism separation. The guest controls the policy for virtual resources while the host manages policy only for physical resources. Resources are different from devices we talked earlier. Virtual resources include such things as virtual address allocation, threads etc. Physical resources address such things as memory and CPU time. This design using policy/mechanism separation enables the host to merely allocate and bookkeep resources where as the shield manages the policies.  #codingexercise
We were discussing the Hamiltonian cycles in a complete graphy. The problem was stated this way.
In a complete undirected graph, there are n nodes numbered 1 to n and there are k forbidden edges. Find the number of Hamiltonian cycles in this graph that don't contain the forbidden edges. Assume that order of traversal does not matter.

We gave the solution as follows

Permutations of  nodes as represented by characters and their sequences as edges traversed. 
Void Permute (String a, StringBuilder b, bool[] used, List<string> edges) 
{ 
  If ( b.Length == a.Length)  { if ( edges.Any(x => b.contains(x)) == false) print b.ToString(); return;} 
  For (int I = 0; I < a.Length ; i++) 
  { 
    If (used[i]) continue; 
     used[i] = true; 
     B += A[i]; 
     Permute(a, b, used, edges);
     B [B.Length – 1] = ‘/0’; 
     used[i] = false; 
  } 
} 
One optimization we suggested was to bail early from a permutation when an edge already listed appears in the forbidden list.
Another way, we could optimize this is to generate all possible forbidden edge combinations using the given ones.
Then we list possible permutations of the Hamiltonian cycles. 
Finally we exclude the edges that contain any of the combinations.  
The key to improving performance this way is the patterns to match and cycles to run against. The latter is fixed in number but the former if comprehensive and attempted with longer patterns first, might be cheaper to execute. What we are trying to do is that if we sort the  pattern and the occurrences, we can do better than the naiive O(n^2) check

Paas, CloudFoundry and UI

User Interfaces and portals for Web applications have traditionally been deployed to dedicated virtual machines and are bound to it. When such applications need to be migrated, it involves manual intervention and planning. But both applications and services can both take benefits of CloudFoundry and PaaS. They are not restricted to the same physical machine that they were once deployed on. With these software, the applications and services can be rolled from one host to another seamlessly without any loss of functionality. They don't require any updates either to code or configuration when they are rolled between hosts.
User Interface is no exception. If APIs and services can avail the advantages of PaaS which include such things as automated code deployments from source control using say Jenkins, continuous monitoring of applications and services, consistent maintenance across applications and services, availability of multiple buildpacks and server software to host the applications. We will go through these benefits in detail shortly but let us take a look at the hosting requirements between API and UI in PaaS.
API software usually exposes an http/https endpoint and port for connectivity. While it may involve authentication, encryption and use of api-keys, all of these are done over basic authentication scheme or OAuth, they are  contained to api implementations and external service consolidators such as a gateway.  A user interface on the other hand may have to integrate with an identity provider and authentication mechanism such as SAML or OAuth external and probably central to an organization and not necessarily within the control of the applications and services framework. Fortunately these are facilitated with a route from the PaaS. The application merely has to handle the redirects from the said authentication mechanisms and the redirects are to specific name:port that can be ported between PaaS hosts as routes. The external ip address of the host and port can be retrieved in code as CF_INSTANCE_ADDR and CF_INSTANCE_PORT
Most of the UI code is generally written as static drop in /var/www folder or as a server side software such as node.js or django. In either case, the provisioning of UI could be attempted on CloudFoundry and PaaS by deploying the code and setting the environment variables such as HOME and WEBDIR

#codingexercise
Yesterday we discussed Hamiltonian cycles from complete graphs.
Permutations of  a string: 
Void Permute (String a, StringBuilder b, bool[] used, List<string> edges) 
{ 
  If ( b.Length == a.Length)  { if ( edges.Any(x => b.contains(x)) == false) print b.ToString(); return;} 
  For (int I = 0; I < a.Length ; i++) 
  { 
    If (used[i]) continue; 
     used[i] = true; 
     B += A[i]; 
     Permute(a, b, used, edges);
     B [B.Length – 1] = ‘/0’; 
     used[i] = false; 
  } 
}

Not the forbidden edges can actually be enumerated in different combinations and excluded from the permutations before a permutation reaches full length.

We continue discussing the paper "Shielding applications from an untrusted cloud with Haven,” written by Andrew Baumann, Marcus Peinado, and Galen Hunt. We discuss the various issues encountered. We now review  SGX optimizations that were recommended by this Haven study. One was Exception Handling and the other was Demand Loading.
When an exception is reported to the user, SGX provides the register context and information to shield module. The shield then performs sanity-checks to ensure that the exception is valid, it is in the shield module and that it should be reported to the LibOS. When the shield prepares to deliver the exception to the LibOS, it copies the context and cause in a format defined by the drawbridge ABI. The context is modified to run the LibOS exception handler. Haven resumes the modified context. But the ERESUME instruction is only available outside the enclave. In fact both ERESUME and IRET are illegal in an enclave. The shield, therefore, EEXITs to a small untrusted stub that immediately resumes the enclave, restoring the context. The LibOS then runs and the application exception handlers get a chance which typically finish by executing the IRET to restore the original context. But the IRET is an illegal instruction and so another exception is triggered. A single application exception results in two exceptions and eight enclave crossings. If these instructions were permitted or their replacements provided, then it would be a significant performance win.
Demand loading is the other scenario where optimization has been made possible. Haven's shield loads application and LibOS binaries. Initially however it did not load lazily. A lazy load is so called because the virtual address space is reserved but the pages are allocated and filled only on first access. As loading occurs, other threads may also access the same pages. Demand paging is done using a private memory mapping before remapping pages with appropriate permissions in the final location. But SGX does not support moving an existing page. Haven loads all the binaries even before a page fault occurs. This adds overhead to startup because there may be many DLLs that are to be loaded costing time and also space. An optimization would be to include an instruction which allows a new page to be both allocated and initialized  with a copy of the data from the private memory mapping. Then this new page can be made available to the application. Thus demand loading can be another win.
 #codingexercise
In a complete undirected graph, there are n nodes numbered 1 to n and there are k forbidden edges. Find the number of Hamiltonian cycles in this graph that don't contain the forbidden edges. Assume that order of traversal does not matter.

A Hamiltonian cycle is one which visits all the vertices exactly once. A forbidden edge that connects two vertices must not be in this cycle. The graph is complete and undirected so every pair has an edge. Therefore a node can reach every other node. When the nodes are listed in the order of the Hamiltonian cycle, we see that those nodes can be jumbled in any way because each node can reach every other node. Consequently the problem degenerates to finding the permutations of the sequence 1 to n. such that the forbidden edges don't appear.

Permutations of  a string: 
Void Permute (String a, StringBuilder b, bool[] used, List<string> edges) 
{ 
  If ( b.Length == a.Length)  { if ( edges.Any(x => b.contains(x)) == false) print b.ToString(); return;} 
  For (int I = 0; I < a.Length ; i++) 
  { 
    If (used[i]) continue; 
     used[i] = true; 
     B += A[i]; 
     Permute(a, b, used, edges);
     B [B.Length – 1] = ‘/0’; 
     used[i] = false; 
  } 
} 

Governance, Regulations and Compliance: 

Cloud computing has proliferated VMs while security standards have been trying to catch up from the resource centric IT environments earlier to more datacenter oriented environments now. Fortunately, this has evolved based on the clouds are offered – public, community, private and hybrid. A public cloud has the highest risk due to lack of security control, multi-tenancy, data management, limited SLA and lack of common regulatory controls. A community cloud has moderate risk due to multi-tenancy, however it has less risk than public cloud due to shared legal/regulatory compliance issues. A private cloud has the least risk due to single ownership and strong shared mission goals along with legal/regulatory requirements. A Hybrid cloud has risk that depends upon combined models. A combination of private/community is lowest risk while a combination of public/community poses greatest risk.  The scope also matters. A public cloud serves several hundreds of organizations. A community cloud works with the private network of two or more organizations. A private cloud is entirely internal to the organization’s private network. A hybrid cloud can have a private/community cloud entirely within the organization’s private network with spillover capacity to a public/community cloud. 

The Information security governance framework is primarily Plan, Do, Check, Act cycle of continuous improvement and is comprised of seven management processes. These are strategy & planning, policy portfolio management, Risk management, management overview, Communication & outreach, compliance and performance management, awareness & training.  The management processes govern the implementation and operation of the functional processes, which vary based on the cloud environment. 

Central to the implementation of the functional processes, is the scheduled sweep of resources for GRC purposes. These sweeps involve tightening the configurations of Virtual Machines in all forms and flavors. These cover such things as the network connectivity configurations and System Security Services.  When a user logs into the VM, whether his password has expired or not, whether he is still an active employee or not, whether a login can be granted or not etc. are all part of the server hardening requirements. Yet the boiler plate configurations at each Virtual machine often escape the scrutiny that otherwise falls on the public cloud. When a public cloud is set up to run an Active Directory, it is usually done as a managed service. The connectivity from the virtual machines depends on their configurations. The access provider, the id provider and the change password provider specified in the sssd configuration determine how the virtual machines enable accounts. A careful scrutiny of this configuration can itself eliminate several vulnerabilities and maintenance activities. The cost of workflows and implementations increases significantly as and when the ripples reach downstream systems or later point of time. Therefore early and proactive mitigation by compliance and governance processes is immensely beneficial. When done right, it does not even require to change very often

#coding exercise
we discussed generating groups of K from N elements using recursion as saying
void assignGroups(int n, int k)
{
  if (k == 1) { // all elements in one group }
  if (n == k) { // each element in its own group }
  return assignGroups( k * assignGroups(n-1) + assignGroups(n-1, k-1));
From the above, We know the k sets can have sizes in one of the following configurations
N-k+1, 1, 1,  ... 1 (k-1 times)
N-k, 2, 1  ... 1 (k-2 times )
.
.
N/k, N/k, N/k .... (k times)

These sequences of sizes don't change while the contents can change.
But we know we can  We can generate combinations of any length m for one of the sets in k with 

Void Combine (List<point> a, List<point> b,int m, int start, int level)

{

For (int I = start ; I < a.Length; i++)

{

b[level] = a[i];
if (b.length == m) print(b);

If (I < a.Length)

Combine(a,b, m, start+1,level+1)

B[level] = NULL;

}

In fact we already know all the combinations of all sizes from above. This helps us make one set in k. The remaining sets can be made with remaining elements with the same code.
So instead of taking permutations, we could also solve this problem exclusively with combinations.

. 

We continue discussing the paper "Shielding applications from an untrusted cloud with Haven,” written by Andrew Baumann, Marcus Peinado, and Galen Hunt. We discussed performance study earlier. Today we discuss trusted computing base and the various issues encountered.  The LibOS includes a large subset of Windows.  But all the code is in the enclave. Therefore it is all in the user's trusted computing base and its sanctity can be maintained with scanning for malware, code inspection and other such means. This allows the application to move from a private data center to a public cloud. In this regard, Haven addresses two real threats : a malicious employee of the cloud provider with either admin privileges or hardware access  and a government subpoena.Finally, Haven also relies on the processors' correctness.
There are some future work planned with Haven. Haven does not currently prevent rollback of filesystem state beyond the enclave's lifetime. It cannot avoid the following attack. the enclave is terminated.( eg, the host fakes  a crash) and its in-memory state is lost. A new instance of the enclave accessing the VHD can read consistent data but not the latest. To mitigate such attacks, a non-volatile storage is needed but every write then has a networking communication cost which is way too expensive. However critical writes could be safeguarded this way.
Haven also relies on system time and timeouts by the untrusted host but both these can be changed by a malicious host. Haven plans to mitigate this by ensuring the clock always runs forward and the use of  a cycle counter as an alternative time source.
VMs can be saved resumed and migrated. Host has to capture and recreate guest state. However Haven explicitly prevents this. Haven plans to support these in the future with checkpoint and resume at the Drawbridge ABI level. In the simplest form, the host could request the Haven guest to suspend itself which it would do by capturing its own state to an encrypted image. The host can spin off a new enclave to resume execution on another node. Before gaining access to the encrypted image, the new guest would perform an attestation step. This gives it the keys necessary to access the encrypted checkpoint image.

#square fields problem ( covering N points with K squares on XY plane )

Another way to solve this problem would be to generate the permutation of the N points as follows:
Void Permute (List<Point> a, List<Point> b, bool[] used) 
{ 
  If ( b.Length == a.Length)  { print b.ToString(); return;} 
  For (int I = 0; I < a.Length ; i++) 
  { 
    If (used[i]) continue; 
     used[i] = true; 
     B += A[i]; 
     Permute(a, b, used); 
     B [B.Length – 1] = NULL; 
     used[i] = false; 
  } 
} 
and for each permutation assign them to different squares where squares range from 1 to K and each square can have 1 to N-K+1 points. 
List<List<Point>> assignSquares(List<Point> b)
{
int I = 0;
var squares = new List<List<Point>>();
for (int m = 0; m < k; m++) {
 // initialize each of the k squares
 int count = N-K+1;
 var square = new List<Point>(count);
 square.AddRange(Enumerable.Repeat(NULL, count));

 // assign
 for(int t = 0; t < N-K+1; t++){ 
    if ( I == N) continue;
    square[t] = b[I];
    I++;
} 
 squares.Add(square);
}
return squares;
}
abc
ab c
ba c
ac b
ca b
bc a
cb a
 abcd
abcd

How do we meet the compliance and security requirements for a Cloud?
Here are some cloud provider readiness checks:
Does the cloud have the ability to encrypt data at rest and in transit?
Does the cloud have the ability to pull audit information via logs?
Does the cloud include role-based access control?
Does the cloud have the ability to map roles according to enterprise hierarchy, or to a facsimile of the enterprise organizational structure?
Can the cloud authenticate against a central system of record based on user roles and assignments?
Can the cloud integrate with existing command-and control systems?
Can the cloud back up data off the cloud?
Does the cloud have built-in disaster recovery capabilities?
courtesy : Shriram Natarajan
In addition, the organization supporting cloud services  will need to honor audit requirements and Health Insurance Portability and Accountability Act. Payment Card Industry customers will need to re-certify yearly to ensure they are still complying with regulations, and the cloud provider should be able to meet these requirements. We can guarantee the cloud compliance once we have fully understood and documented the data flow. That includes not only data ownership and auditability, but cloud and storage configuration as well. If anything is not included or not documented in the contract, it doesn't exist and the organizations that want to maintain governance, regulation and compliance can't use a contract template. A customized contract is  a must to ensure their needs are met.
Another approach is to use Plan, Do, Check and Act cycle also known as Deming cycle for cloud security and compliance management. In this case, the Plan phase
determines  the scope of security and compliance
requirements including regulatory and business requirement evaluations, and designs deployment accordingly.
The Do phase defines the security controls and risk management framework. This includes choosing encryption, secu-
rity token, identity and access management,  identity management options and
controls to detect and prevent intrusion,. The last category includes security incident and event management and data leakage protection products. In the Check phase, organizations define auditing objectives. These involve not just SOX but also fine grained historical action logging. In the Act phase they mitigate vulnerabilities. This not only includes audits, but also continuous monitoring and security improvements.
Courtesy: Kanwarjeet Panesar