Secure Code Execution: Today's Challenge
As the increase in malware-based attacks has demonstrated, software applications and the data they use are vulnerable to tampering. Even when application-level encryption is used, data can still be vulnerable if it appears in the clear on servers. For critical applications, organizations must take steps to ensure that attackers cannot gain access to sensitive application processes or data during execution.
Historically, the physical protection provided by dedicated data centers and segregated systems provided a semi-trusted environment. But in today’s highly distributed, tightly integrated, often completely virtualized or even cloud-based systems, environmental security is often severely diminished. One powerful solution is to execute the security-sensitive aspects of an application inside a secure localized perimeter such as that provided by a hardware security module (HSM). HSMs that provide an application ‘sandbox’ enable application code to execute within the tamper-resistant hardware boundary, effectively creating a trusted zone in an untrusted environment and protecting against a variety of outsider and insider attacks including Advanced Persistent Threats (APTs).
Organizations might take this extra level of precaution when a given application’s trustworthiness must be beyond question, even though it operates in an untrusted environment, or where the consequences of an attack that compromises application integrity are especially severe, Examples include:
- Public key infrastructures (PKI) in which certificate authority (CA) application code might be manipulated to authorize the issuing of bogus certificates.
- Online content distribution, where access to high-value content at a remote location such as a movie theater needs to be metered for billing purposes and audited for security purposes.
- Audit logging at remote locations, where secure, trusted logs are essential for auditing and compliance purposes; for these applications, digital signatures and potentially trusted timestamps need to be applied to audit logs and records in a dependable fashion.
- Outsourced manufacturing of high-tech devices such as mobile phones or smart utility meters, where remote application processes are used to generate and issue device credentials and digital identities or to control the number and configuration of devices being manufactured. Abuse of such processes can result in the production of counterfeit and/or malware-infected products.
- Highly secret, proprietary algorithms and protocols that protect valuable data such as web log-on credentials and yet are forced to reside in hostile environments such as a web DMZ or even a public environment. All of these need protection to avoid large-scale attack and loss of intellectual property or personal data.
Risks Associated with Secure Code Execution
- Rogue applications can eavesdrop on application code while it is executing, thereby compromising data and business processes.
- APTs—applications that modify the behavior of a standard application—can compromise business integrity by handing over control of critical business processes to attackers in a way that may go undetected for some time.
- Corrupted applications can alter the attributes of a manufacturing process or the configuration or firmware of manufactured devices, with wide ranging repercussions if those devices themselves are used as Trojans to conduct data theft on a large scale.
- Attempts to lock down servers using traditional approaches to physical security and isolation can become increasingly expensive, restrictive, and potentially impossible as organizations move toward a more virtualized or cloud-based model.
Secure Code Execution: Thales e-Security Solutions
Using the CodeSafe secure execution capabilities of nShield HSMs, developers and architects can protect executing code within the secure boundary of the HSM. CodeSafe expands the security perimeter beyond the key management and cryptographic processing capabilities of the HSM to include an application ‘sandbox’ in which security-sensitive application code can execute. CodeSafe helps organizations close the security gap between an application running on the server and processes running on the HSM. It protects application software as it is executed, and can therefore prevent unauthorized programs from gaining access to data. In addition, CodeSafe supports an optional capability that enables an entire SSL stack to run inside the nShield HSM; this provides a mechanism for an encrypted SSL connection to be terminated directly within the HSM, removing the risk of data exposure on the host server. By running application software in a proven, security certified hardware environment, CodeSafe protects data, processes, and intellectual property that would otherwise be at risk.
- Protect sensitive applications and data against APTs and other malware.
- Maintain high assurance business processes while reducing reliance on physically trusted environments and the personal intervention of security officers.
- Maximize the value of your investment in applications and HSMs.
- Take full advantage of opportunities to relocate facilities in less trusted environments, such as outsourcing and use of cloud infrastructure—reducing costs without compromising security.
- Create trusted agents (tamper-resistant applications or services) that can enhance the security of highly distributed business processes.
- Close security gaps where sensitive data may be exposed on host servers before being passed to the HSM—when SSL is terminated on the host server, for example.
- Protect the confidentiality of sensitive applications that incorporate proprietary algorithms or protocols, such as custom designed authentication schemes.