research-article

Continuous security evaluation and auditing of remote platforms by combining trusted computing and security automation techniques

Authors:

Mudassar Aslam,

Christian Gehrmann, and

Mats BjörkmanAuthors Info & Claims

SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

November 2013

Pages 136 - 143

https://doi.org/10.1145/2523514.2523537

Published: 26 November 2013 Publication History

Abstract

In many new distributed systems paradigms such a cloud computing, Internet of Things (IoT), electronic banking, etc. the security of the host platforms is very critical which is managed by the platform owner. The platform administrators use security automation techniques such as those provided by Security Content Automation Protocol (SCAP) standards to ensure that the outsourced platforms are set up correctly and follow the security recommendations (governmental or industry). However, the remote platform users still have to trust the platform administrators. The third party security audits, used to shift the required user trust from the platform owner to a trusted entity, are scheduled and are not very frequent to deal with the daily reported vulnerabilities which can be exploited by the attackers. In this paper we propose a remote platform evaluation mechanism which can be used by the remote platform users themselves, or by the auditors to perform frequent platform security audits for the platform users. We analyze the existing SCAP and trusted computing (TCG) standards for our solution, identify their shortcomings, and suggest ways to integrate them. Our proposed platform security evaluation framework uses the synergy of TCG and SCAP to address the limitations of each technology when used separately.

References

[1]

The United States Government Configuration Baseline (USGCB). http://usgcb.nist.gov/index.html/.

[2]

J. Baker, M. Hansbury, and D. Haynes. The OVAL Language Specification. https://oval.mitre.org/language/version5.10.1/OVAL_Language_Specification_01-20-2012.pdf, January 2012.

[3]

H. Booth and A. Halbardier. The Trust Model for Security Automation Data (TMSAD), Version 1.0. http://csrc.nist.gov/publications/nistir/ir7802/NISTIR-7802.pdf, September 2011.

[4]

S. Bratus, N. D'Cunha, E. Sparks, and S. W. Smith. Toctou, traps, and trusted computing. In Trusted Computing-Challenges and Applications, pages 14--32. Springer, 2008.

Digital Library

[5]

D. Challener, K. Yoder, R. Catherman, D. Safford, and L. Van Doorn. A practical guide to trusted computing. IBM Press, first edition, 2007.

Digital Library

[6]

B. A. Cheikes, D. Waltermire, and K. Scarfone. Common Platform Enumeration: Naming Specification, Version 2.3. http://csrc.nist.gov/publications/nistir/ir7695/NISTIR-7695-CPE-Naming.pdf, August 2011.

[7]

Common Platform Enumeration (CPE), Technical Use Case Analysis. http://cpe.mitre.org/cpe/archive/cpe_technical_use_cases.pdf, November 2008.

[8]

Specification for the Extensible Configuration Checklist Description Format (XCCDF), Version 1.2. http://csrc.nist.gov/publications/nistir/ir7275-rev4/nistir-7275r4_updated-march-2012_clean.pdf, March 2012.

[9]

J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: cold-boot attacks on encryption keys. Commun. ACM, 52(5): 91--98, May 2009.

Digital Library

[10]

X. Huang and Y. Peng. An Effective Approach for Remote Attestation in Trusted Computing. In WISA 2009: Proceedings of the 2nd International Symposium on Web Information Systems and Applications, pages 80--83, FIN-90571, OULU, FINLAND, 2009. Academy Publisher.

[11]

TCG Infrastructure Architecture Part-II - Integrity Management. http://www.trustedcomputinggroup.org/resources, November 2006.

[12]

Integrity Report Schema Specification. http://www.trustedcomputinggroup.org/resources, November 2006.

[13]

D. Mann. An Introduction to the Common Configuration Enumeration (CCE). http://cce.mitre.org/documents/Introduction_to_CCE_White_Paper_July_2008.pdf, July 2008.

[14]

P. Mell, K. Scarfone, and S. Romanosky. The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems. http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf, August 2007.

[15]

S. Munetoh. Open Platform Trust Services (OpenPTS), User's Guide. http://sourceforge.jp/projects/openpts/wiki/FrontPage/attach/userguide-0.2.3-OSS.pdf, March 2011.

[16]

Nessus 5.0 and Scanning Virtual Machines. http://static.tenable.com/documentation/Nessus_5.0_and_Scanning_Virtual_Machines.pdf, April 2013.

[17]

Recommended Security Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 3. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf, January 2010.

[18]

The National Vulnerability Database. http://nvd.nist.gov/.

[19]

Quick Reference Guide to the Payment Card Industry (PCI) Data Security Standard (DSS). https://www.pcisecuritystandards.org/documents/PCISSCQuickReferenceGuide.pdf, October 2010.

[20]

R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In USENIX Security Symposium, pages 223--238, 2004.

Digital Library

[21]

SCAP Messages for IF-M. http://www.trustedcomputinggroup.org/resources/tnc_scap_messages_for_ifm, October 2012.

[22]

K. Scarfone and P. Mell. The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities. http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf, December 2010.

[23]

J. Smith and R. Nair. Virtual machines: versatile platforms for systems and processes. Morgan Kaufmann, 2005.

Digital Library

[24]

Towards a Common Enumeration of Vulnerabilities. http://cve.mitre.org/docs/docs-2000/cerias.html, January 1999.

[25]

TPM Specification, TPM Main Part-III Design Principles. http://www.trustedcomputinggroup.org/resources, July 2007.

[26]

L. van Doorn. Trusted computing challenges. In Proceedings of the 2007 ACM workshop on Scalable trusted computing, STC '07, pages 1--1, New York, NY, USA, 2007. ACM.

Digital Library

[27]

CVE and CCE Statistics. http://web.nvd.nist.gov/view/vuln/statistics.

[28]

D. Waltermire, S. Quinn, K. Scarfone, and A. Halbardier. Security Content Automation Protocol (SCAP), NIST Special Publication 800-126, Version 1.2. http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf, September 2011.

[29]

G. Witte, M. Cook, M. Kerr, and S. Shaffer. Security Automation Essentials - Streamlined Enterprise Security Management and Monitoring with SCAP. McGraw-Hill Osborne Media, 2012.

Cited By

Purkayastha SGoyal SPhillips TWu HHaakenson BZou X(2020)Continuous Security through Integration Testing in an Electronic Health Records System2020 International Conference on Software Security and Assurance (ICSSA)10.1109/ICSSA51305.2020.00012(26-31)Online publication date: Oct-2020
https://doi.org/10.1109/ICSSA51305.2020.00012
Paul PAithal P(2019)Information Assurance with special reference to the Security Content Automation Protocol (SCAP)—An OverviewInternational Journal of Case Studies in Business, IT, and Education10.47992/IJCSBE.2581.6942.0051(52-58)Online publication date: 21-Oct-2019
https://doi.org/10.47992/IJCSBE.2581.6942.0051
Hosseinzadeh SSequeiros BInácio PLeppänen V(2019)Recent trends in applying TPM to cloud computingSECURITY AND PRIVACY10.1002/spy2.933:1Online publication date: 28-Nov-2019
https://doi.org/10.1002/spy2.93
Show More Cited By

Index Terms

Continuous security evaluation and auditing of remote platforms by combining trusted computing and security automation techniques
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

ASArP

Many enterprise solutions today are built upon complex distributed systems which are accessible to the users globally. Due to this global access, the security of the host platforms becomes critical. The platform administrators use security automation ...
Read More
IoT Security & Privacy: Threats and Challenges
IoTPTS '15: Proceedings of the 1st ACM Workshop on IoT Privacy, Trust, and Security

The era of the Internet of Things (IoT) has already started and it will profoundly change our way of life. While IoT provides us many valuable benefits, IoT also exposes us to many different types of security threats in our daily life. Before the advent ...
Read More
SP 800-126. The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

November 2013

483 pages

ISBN:9781450324984

DOI:10.1145/2523514

General Chairs:
Atilla Elçi
Aksaray University, Turkey
,
Manoj Singh Gaur
Malaviya National Institute of Technology, India
,
Mehmet A. Orgun
Macquarie University, Australia
,
Oleg B. Makarevich
Southern Federal University, Russia

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Macquarie U., Austarlia
MNIT: Malaviya National Institute of Technology
Aksaray Univ.: Aksaray University
SFedU: Southern Federal University

In-Cooperation

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIN '13

Sponsor:

MNIT
Aksaray Univ.
SFedU

SIN '13: The 6th International Conference on Security of Information and Networks

November 26 - 28, 2013

Aksaray, Turkey

Acceptance Rates

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
360
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Purkayastha SGoyal SPhillips TWu HHaakenson BZou X(2020)Continuous Security through Integration Testing in an Electronic Health Records System2020 International Conference on Software Security and Assurance (ICSSA)10.1109/ICSSA51305.2020.00012(26-31)Online publication date: Oct-2020
https://doi.org/10.1109/ICSSA51305.2020.00012
Paul PAithal P(2019)Information Assurance with special reference to the Security Content Automation Protocol (SCAP)—An OverviewInternational Journal of Case Studies in Business, IT, and Education10.47992/IJCSBE.2581.6942.0051(52-58)Online publication date: 21-Oct-2019
https://doi.org/10.47992/IJCSBE.2581.6942.0051
Hosseinzadeh SSequeiros BInácio PLeppänen V(2019)Recent trends in applying TPM to cloud computingSECURITY AND PRIVACY10.1002/spy2.933:1Online publication date: 28-Nov-2019
https://doi.org/10.1002/spy2.93
Centonze P(2019)Cloud Auditing and ComplianceSecurity, Privacy, and Digital Forensics in the Cloud10.1002/9781119053385.ch8(157-188)Online publication date: 8-Feb-2019
https://doi.org/10.1002/9781119053385.ch8
Aslam MGehrmann CBjörkman M(2018)ASArPJournal of Information Security and Applications10.1016/j.jisa.2014.09.00122:C(28-39)Online publication date: 13-Dec-2018
https://dl.acm.org/doi/10.1016/j.jisa.2014.09.001
Paul PAithal P(undefined)Information Assurance with special reference to the Security Content Automation Protocol (SCAP) — An OverviewSSRN Electronic Journal10.2139/ssrn.3497723
https://doi.org/10.2139/ssrn.3497723

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents