Biblio

Current FAA strategic objectives include a migration to Trajectory Based Operations (TBO) with the integration of time-based management data and tools to increase efficiencies and reduce operating costs within the National Airspace System (NAS). Under TBO, integration across various FAA systems will take on greater importance than ever. To ensure the security of this integration without impacting data and tool availability, the FAA should consider adopting a Zero Trust Framework (ZTF) into the NAS.ZTF was founded on the belief that strong boundary security protections alone (traditionally referred to as the castle-moat approach) were no longer adequate to protecting critical data from outside threats and, with ever-evolving threat sophistication, contamination within a network perimeter is assumed to already exist (see Figure 1).To address this, theorists developed a framework where trust is controlled and applied to all internal network devices, users, and applications in what was termed a "Never Trust; Always Verify" approach to distinguish the authorized from the unauthorized elements wanting to access network data.To secure achievement of TBO objectives and add defensive depth to counter potential insider threats, the FAA must consider implementing a hybrid approach to the ZTF theory. This would include continued use of existing boundary protections provided by the FAA Telecommunications Infrastructure (FTI) network, with the additional strength afforded by the application of ZTF, in what is called the NAS Zero Trust eXtended (ZTX) platform.This paper discusses a proposal to implement a hybrid ZTX approach to securing TBO infrastructure and applications in the NAS.

The prevalence of Cloud Computing has appealed many users to put their business into low-cost and flexible cloud servers instead of bare-metal machines. Most virtual machines in the cloud run commodity operating system(e.g., linux), and the complexity of such operating systems makes them more bug-prone and easier to be compromised. To mitigate the security threats, previous works attempt to mediate and filter system calls, transform all unpopular paths into popular paths, or implement a nested kernel along with the untrusted outter kernel to enforce certain security policies. However, such solutions only enforce read-only protection or assume that popular paths in the kernel to contain almost no bug, which is not always the case in the real world. To overcome their shortcomings and combine their advantages as much as possible, we propose a hardware-assisted isolation mechanism that isolates untrusted part of the kernel. To achieve isolation, we prepare multiple restricted Extended Page Table (EPT) during boot time, each of which has certain critical data unmapped from it so that the code executing in the isolated environment could not access sensitive data. We leverage the VMFUNC instruction already available in recent Intel processors to directly switch to another pre-defined EPT inside guest virtual machine without trapping into the underlying hypervisor, which is faster than the traditional trap-and-emulate procedure. The semantic gap is minimized and real-time check is achieved by allowing EPT violations to be converted to Virtualization Exception (VE), which could be handled inside guest kernel in non-root mode. Our preliminary evaluation shows that with hardware virtualization feature, we are able to run the untrusted code in an isolated environment with negligible overhead.

Mobile cloud computing paradigm enables cloud servers to extend the limited hardware resources of mobile devices improving availability and reliability of the services provided. Consequently, private, financial, business and critical data pass through wireless access media exposed to malicious attacks. Mobile cloud infrastructure requires new security mechanisms, at the same time as offloading operations need to maintain the advantages of saving processing and energy of the device. Thus, this paper implements a middleware-based computational offloading with cryptographic algorithms and evaluates two mechanisms (symmetric and asymmetric), to provide the integrity and authenticity of data that a smartphone offloads to mobile cloud servers. Also, the paper discusses the factors that impact on power consumption and performance on smartphones that's run resource-intensive applications.