Thuy D. Nguyen

A video game for cyber security training and awareness

Although many of the concepts included in cyber security awareness training are universal, such training often must be tailored to address the policies and requirements of a particular organization. In addition, many forms of training fail because they are rote and do not require users to think about and apply security concepts. A flexible, highly interactive video game, CyberCIEGE, is described as a security awareness tool that can support organizational security training objectives while engaging typical users in an engaging security adventure. The game is now being successfully utilized for information assurance education and training by a variety of organizations. Preliminary results indicate the game can also be an effective addition to basic information awareness training programs for general computer users (e.g., annual awareness training.)

The Trusted Computing Exemplar project

We describe the Trusted Computing Exemplar project, which is producing an openly distributed worked example of how high assurance trusted computing components can be built. The TCX project encompasses four related activities: creation of a prototype framework for rapid high assurance system development; development of a reference-implementation trusted computing component; evaluation of the component for high assurance; and open dissemination of results related to the first three activities. The projects open development methodology provides widespread availability of key high assurance enabling technologies and ensures transfer of knowledge and capabilities for trusted computing to the next generation of developers, evaluators and educators.

Overview of a high assurance architecture for distributed multilevel security

A high assurance architecture is described for the protection of distributed multilevel secure computing environments from malicious code and other attacks. Component security services and mechanisms extend and interoperate with commodity PCs, commodity client software, applications, trusted components, and legacy single level networks, providing new capabilities for composing secure, distributed multilevel security. This architecture results from the realization that unless a secure system offers users comfortable and familiar interfaces for handling routine information, it will fail due to lack of user acceptability.

Managing Security in FPGA-Based Embedded Systems

FPGAs combine the programmability of processors with the performance of custom hardware. As they become more common in critical embedded systems, new techniques are necessary to manage security in FPGA designs. This article discusses FPGA security problems and current research on reconfigurable devices and security, and presents security primitives and a component architecture for building highly secure systems on FPGAs.

Handbook of FPGA Design Security

The purpose of Handbook of FPGA Design Security is to provide a practical approach to managing security in FPGA designs for researchers and practitioners in the electronic design automation (EDA) and FPGA communities, including corporations, industrial and government research labs, and academics. Handbook of FPGA Design Security combines theoretical underpinnings with a practical design approach and worked examples for combating real world threats. To address the spectrum of lifecycle and operational threats against FPGA systems, a holistic view of FPGA security is presented, from formal top level specification to low level policy enforcement mechanisms. This perspective integrates recent advances in the fields of computer security theory, languages, compilers, and hardware. The net effect is a diverse set of static and runtime techniques that, working in cooperation, facilitate the composition of robust, dependable, and trustworthy systems using commodity components.

Least privilege in separation kernels

We extend the separation kernel abstraction to represent the enforcement of the principle of least privilege. In addition to the inter-block flow control policy prescribed by the traditional separation kernel paradigm, we describe an orthogonal, finer-grained flow control policy by extending the protection of elements to subjects and resources, as well as blocks, within a partitioned system. We show how least privilege applied to the actions of subjects provides enhanced protection for secure systems.

A cloud-oriented cross-domain security architecture

The Monterey Security Architecture addresses the need to share high-value data across multiple domains of different classification levels while enforcing information flow policies. The architecture allows users with different security authorizations to securely collaborate and exchange information using commodity computers and familiar commercial client software that generally lack the prerequisite assurance and functional security protections. MYSEA seeks to meet two compelling requirements, often assumed to be at odds: enforcing critical, mandatory security policies, and allowing access and collaboration in a familiar work environment. Recent additions to the MYSEA design expand the architecture to support a cloud of cross-domain services, hosted within a federation of multilevel secure (MLS) MYSEA servers. The MYSEA cloud supports single-sign on, service replication, and network-layer quality of security service. This new cross-domain, distributed architecture follows the consumption and delivery model for cloud services, while maintaining the federated control model necessary to support and protect cross-domain collaboration within the enterprise. The resulting architecture shows the feasibility of high-assurance, cross-domain services hosted within a community cloud suitable for inter-agency, or joint, collaboration. This paper summarizes the MYSEA architecture and discusses MYSEAs approach to provide an MLS-constrained cloud computing environment.

MYSEA: the monterey security architecture

Mandated requirements to share information across different sensitivity domains necessitate the design of distributed architectures to enforce information flow policies while providing protection from malicious code and attacks devised by highly motivated adversaries. The MYSEA architecture uses component security services and mechanisms to extend and inter-operate with commodity PCs, commodity client software, applications, trusted components, and legacy single level networks, providing new capabilities for composing secure, distributed multilevel secure solutions. This results in an architecture that meets two compelling requirements: first, that users have a familiar work environment, and, second, that critical mandatory security policies are enforced.

Security Primitives for Reconfigurable Hardware-Based Systems

Computing systems designed using reconfigurable hardware are increasingly composed using a number of different Intellectual Property (IP) cores, which are often provided by third-party vendors that may have different levels of trust. Unlike traditional software where hardware resources are mediated using an operating system, IP cores have fine-grain control over the underlying reconfigurable hardware. To address this problem, the embedded systems community requires novel security primitives that address the realities of modern reconfigurable hardware. In this work, we propose security primitives using ideas centered around the notion of “moats and drawbridges.” The primitives encompass four design properties: logical isolation, interconnect traceability, secure reconfigurable broadcast, and configuration scrubbing. Each of these is a fundamental operation with easily understood formal properties, yet they map cleanly and efficiently to a wide variety of reconfigurable devices. We carefully quantify the required overheads of the security techniques on modern FPGA architectures across a number of different applications.

High robustness requirements in a Common Criteria protection profile

The development of a Common Criteria Protection Profile for high robustness separation kernels requires explicit modifications of several common criteria requirements as well as extrapolation from existing (e.g., medium robustness) guidance and decisions. The draft U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (SKPP) is intended to be applicable to a class of products (the target of evaluation, or TOE) that includes, but is not limited to, real time and embedded systems. This paper describes certain SKPP concepts and requirements and provides underlying motivations and rationale for their inclusion in the SKPP. Primary areas of focus are the security requirements regarding information flow, dynamic configuration, and the application of the principle of least privilege to restrict actions of active entities