Essential Server Security Measures and Best Practices

Discover key strategies for securing your Linux server, including monitoring server health, conducting system hardening, implementing least privilege policies, utilizing intrusion detection and prevention systems, leveraging vulnerability scanners, and enhancing endpoint protection. Learn about monitoring commands, system hardening steps, user access limitations, security policy enforcement, and vulnerability assessments.

• Server Security
• Linux Administration
• Cybersecurity
• Endpoint Protection
• Vulnerability Scanning

caey641 Follow

Uploaded on Mar 19, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Security Design for IEEE P1687 Hejia Liu Major Professor: Vishwani D. Agrawal

2. Introduction Part 1: Introduction of IEEE P1687 (IJTAG) security risks in P1687 Part 2: Security design and expected unlocking time Part 3: Discussion of a proposal and improvement in security Apr 8, 2014 Liu: MEE Project 2

3. IEEE 1149.1 (JTAG) Interface Apr 8, 2014 Liu: MEE Project 3

4. What is P1687/ IJTAG? IEEE P1687 is a valuable tool for accessing on- chip instruments during test, diagnosis, debug and board configurations. P1687 is a proposed IEEE Standard that has 3 components A flexible set of serial scan chain techniques for the instrument access architecture (called the network) A network description language (called instrument connectivity language, ICL) An instrument vector language (called procedure description language, PDL) Apr 8, 2014 Liu: MEE Project 4

5. Communication between Chips An example of communication P1687 network between 3 chips Apr 8, 2014 Liu: MEE Project 5

6. Instruments, IPs An IP (Intellectual property core) with a P1687 compliant interface is named instrument. IPs: Analog, digital or mixed signal circuitry performing particular functions, such as a clock a generator, an interface to an external measurement probe, a radio tuner, an analog signal converter, a digital signal processor, etc. Apr 8, 2014 Liu: MEE Project 6

7. P1687 Network Rst Optional Apr 8, 2014 Liu: MEE Project 7

8. FSM of TAP Controller Apr 8, 2014 Liu: MEE Project 8

9. Security Risks Depending on the application, data may be stored on-chip, including chip ID, codes, and encryption keys. An attacker can access a targeted instrument and obtain the secret data easily. Apr 8, 2014 Liu: MEE Project 9

10. A Possible Break-in Procedure Step 1: Load Instruction code in TAP Step 2: Shift in an attempt vector Step 3: Clock the TAP controller Step 4: If attempt successful, access instrument Step 5: Else, repeat from step 2 Apr 8, 2014 Liu: MEE Project 10

11. Security Levels Insecurity: Break-in time at the level of days Weak security: Break-in time at the level of years Strong security: Break-in time at the level of ten years Full Security: Break-in time in the level of thousand years Apr 8, 2014 Liu: MEE Project 11

12. Structure of SIB (Segment Insertion Bit) Select=1 ShiftEn=1 To_TDO1 1 To_TDI2 0 0 0 TDI Update cell Select 1 1 Shift cell 1 From_TDO2 1 1 ShiftEn Select TCK UpdateEn Apr 8, 2014 Liu: MEE Project 12

13. Structure of SIB (Segment Insertion Bit) Select=0 ShiftEn=1 To_TDO1 To_TDI2 0 TDI 0 0 Update cell Select 1 1 Shift cell From_TDO 2 1 0 0 ShiftEn Select TCK updateEn Apr 8, 2014 Liu: MEE Project 13

14. The Structure of SIB (Segment Insertion Bit) ShiftEn=0 UpdateEn=1 To_TDI 2 To_TDO 1 0 0 0 TDI Update cell Select 1 Shift cell 1 From_TDO 2 1 1 1 ShiftEn Select TCK UpdateEn Apr 8, 2014 Liu: MEE Project 14

15. Dworak, et al.. ,Dont forget to lock your SIB:Hiding instrument using P1687, ITC 2013 Locking-SIB With Trap To_TDO1 To_TDI2 0 0 RST 0 TDI 1 1 Update cell Shift cell From_TDO 1 1 ShiftEn Select TCK UpdateEn Key[0] Key[n] Trap feedback select signal Whether the key and trap feedback value is 1 or 0 is decided by structure Select Liu: MEE Project 15 Apr 8, 2014

16. Unsecure and Secure P1687 Networks Apr 8, 2014 Liu: MEE Project 16

17. Dworak, et al.,Dont forget to lock your SIB: Hiding instrument using P1687, ITC 2013 Break-in Procedure Cost(LSIB unlock attempt w/Trap) = 10 + 2? + ? Prob(opening SIB with key of k bits) 1 = 2?+1 Expected Cost(LSIB unlock w/Trap) = (10 + 2? + ?) 2?+1 Apr 8, 2014 Liu: MEE Project 17

18. Expected Results (f = 100MHz) Expected time to unlock LSIB withTrap Days 7.79E-07 3.94E-04 5.13E+01 6.69E+06 8.76E+11 1.15E+17 1.50E+22 Key length K 8 16 32 48 64 80 96 Chain Length N 640 1280 2560 5120 10240 20480 40960 Years 2.13E-09 1.08E-06 1.41E-01 1.83E+04 2.40E+09 3.15E+14 4.11E+19 Apr 8, 2014 Liu: MEE Project 19

19. Features of Secure Structure The order of magnitudes for break-in time: k + 1 log(2? f) An attacker uses the scan chain length as a feedback What if we hide the length of the scan path? Apr 8, 2014 Liu: MEE Project 20

20. An Original Proposal: Use SLFSR (Secure LFSR) to Hide Scan Path Length Apr 8, 2014 Liu: MEE Project 21

21. SLFSR Example 3-stage SLFSR, R=23 1 = 7 Apr 8, 2014 Liu: MEE Project 22

22. Break-in Procedure 1 attempt= n*+? + 2? + 10 Apr 8, 2014 Liu: MEE Project 23

23. Attackers Strategies Condition 1: Attempt length is n*< N ????? ????????? ???? ? ?? ? < ? (? +? + 2? + 10 )2? ? = ? Condition 2: Attempt length is n*= N ???????? ???? = [ ? + 2? + 10 + ? ?] 2?+1 Condition 3: Attempt length n*> N ???????? ???? = [ ? + 2? + 10 + ? ?] 2?+1 Apr 8, 2014 Liu: MEE Project 24

24. Expected Results (f = 100MHz) Condition 3: %Increase Compared to Trap without SLFSR 395.9596 377.9141 365.6357 362.8169 360.8592 359.4203 358.3181 356.7407 355.6663 Expected time to unlock LSIB with SLFSR(days) Key length K Chain length N cycles Days Years 8 32 64 128 160 192 224 256 320 384 2.32E-07 9.34E-05 1.06E+01 3.28e+03 9.85E+05 2.90E+08 8.37E+10 6.74E+15 5.24E+20 6.36E-10 2.56E-07 2.90E-02 8.98 2.70E+03 7.93e+05 2.29e+08 1.85E+13 1.44E+18 2.01e+05 8.07e+07 9.14E+12 2.83E+15 8.51E+17 2.50E+20 7.23E+22 5.82E+27 4.53E+32 16 32 40 48 56 64 80 96 Apr 8, 2014 Liu: MEE Project 25

25. Disadvantage Compared to Structure without SLFSR In fact, we are increasing the feedback keys alternately. For the secure chain without LFSR, Total expected unlocking time without LFSR = (10 + 2N + d)2?+1 For the secure chain in the worst case condition (condition 3) : Total expected unlocking time with LFSR = (10 + N + 2R)2?+1 ?(2? 1) Comparing 2 equations, for large n, the efficiency ratio: Expected time w/no SLFSR Expected time w/SLFSR 2,when N Apr 8, 2014 Liu: MEE Project 26

26. Conclusion It is useful we replace the non-functional segments with SLFSR Security SLFSR increases attacker s effort as breaking not only depends on the structure we build up, but also the strategies that attacker chooses. We should be concerned about the lucky attacker Apr 8, 2014 Liu: MEE Project 27