Continuous security evaluation and auditing of remote platforms by combining trusted computing and security automation techniques

In many new distributed systems paradigms such a cloud computing, Internet of Things (IoT), electronic banking, etc. the security of the host platforms is very critical which is managed by the platform owner. The platform administrators use security automation techniques such as those provided by Security Content Automation Protocol (SCAP) standards to ensure that the outsourced platforms are set up correctly and follow the security recommendations (governmental or industry). However, the remote platform users still have to trust the platform administrators. The third party security audits, used to shift the required user trust from the platform owner to a trusted entity, are scheduled and are not very frequent to deal with the daily reported vulnerabilities which can be exploited by the attackers. In this paper we propose a remote platform evaluation mechanism which can be used by the remote platform users themselves, or by the auditors to perform frequent platform security audits for the platform users. We analyze the existing SCAP and trusted computing (TCG) standards for our solution, identify their shortcomings, and suggest ways to integrate them. Our proposed platform security evaluation framework uses the synergy of TCG and SCAP to address the limitations of each technology when used separately.

[1]  Gregory A. Witte,et al.  Security Automation Essentials: Streamlined Enterprise Security Management & Monitoring with SCAP (1st) , 2012 .

[2]  Abhay Bhargav Payment Card Industry Data Security Standard (PCI-DSS) , 2014 .

[3]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[4]  Karen A. Scarfone,et al.  The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities , 2010 .

[5]  Joint Task Force Recommended Security Controls for Federal Information Systems and Organizations , 2009 .

[6]  Harold Booth,et al.  Trust Model for Security Automation Data 1.0 (TMSAD) , 2011 .

[7]  Sergey Bratus,et al.  TOCTOU, Traps, and Trusted Computing , 2008, TRUST.

[8]  Neal Ziring,et al.  Specification for the Extensible Configuration Checklist Description Format (XCCDF) , 2005 .

[9]  Leendert van Doorn Trusted computing challenges , 2007, STC '07.

[10]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[11]  James E. Smith,et al.  Virtual machines - versatile platforms for systems and processes , 2005 .

[12]  Karen A. Scarfone,et al.  The Common Vulnerability Scoring System (CVSS) and its Applicability to Federal Agency Systems , 2007 .

[13]  Leendert van Doorn,et al.  A Practical Guide to Trusted Computing , 2007 .

[14]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[15]  Karen A. Scarfone,et al.  The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2009 .

[16]  Xin Huang,et al.  An Effective Approach for Remote Attestation in Trusted Computing , 2009 .

[17]  Karen A. Scarfone,et al.  Common Platform Enumeration: Naming Specification Version 2.3 , 2011 .