Connect with us

Tech

Arm’s confidential computing uses hardware to ensure security

Published

on

Armv9 is Arm's first major architectural update in a decade

Join Transform 2021 for the most important themes in enterprise AI & Data. Learn more.


Arm introduced its Armv9 chip platform this week as the first major upgrade for its architecture in a decade. And one of the key pillars was “confidential computing,” a hardware-based security initiative.

Arm is a chip architecture company that licenses its designs to others, and its customers have shipped more than 100 billion chips in the past five years. Nvidia is in the midst of acquiring Cambridge, United Kingdom-based Arm for $40 billion, but the deal is waiting on regulatory approvals.

During Arm’s press event, CEO Simon Segars said that Armv9’s roadmap introduces the Arm Confidential Compute Architecture (CCA). Confidential computing shields portions of code and data from access or modification while in use, even from privileged software, by performing the computation in a hardware-based secure environment, he said. More details will be released over time.

The processor can have secure enclaves, and that can create better security throughout the system. Usually, the model for software is to inherently trust the operating system and the hypervisor the software is running on, and that the highest tiers of software are allowed to see into the execution of the lower tiers. But if the operating system or hypervisor is compromised, that’s a risk.

CCA introduces a new concept of dynamically created “realms,” which can be viewed as secured containerized execution environments that are completely opaque to the OS or hypervisor. The hypervisor would still exist, but be solely responsible for scheduling and resource allocation. The realms instead would be managed by a new entity called the realm manager, which is supposed to be a new piece of code roughly a tenth the size of a hypervisor.

“The Arm Confidential Compute architecture will introduce the concept of dynamically created realms, usable by ordinary programs in a separate computation world from either the non-secure or secure world that we have today,” said Richard Grisenthwaite, chief architect at Arm, in a press briefing. “Realms use a small amount of trust and testable management software that is inherently separated from the operating system.”

Segars said that Realms are much like software containers, which isolate code in certain ways, but with hardware support.

Above: Simon Segars is CEO of Arm.

Image Credit: Arm

“People are realizing that it matters,” said Mike Bursell, chief security architect at Red Hat, in a press briefing. “Confidential computing is about protecting your applications, your workloads from a host which is compromised or malicious or from external hackers. Keeping your workloads safe using hardware controls is how we think about confidential computing. People realize there are some workloads that they’re not happy about putting on the cloud or which are not safe on the edge, maybe because their boxes aren’t physically secure.”

Realms can protect commercially sensitive data and code from the rest of the system while it is in use, at rest, and in transit. In a recent survey of enterprise executives, more than 90% of the respondents believe that if confidential computing were available, the cost of security could come down, enabling them to dramatically increase their investment in engineering innovation. Overall, the chain of trust required for an application to run can be more limited, protecting the overall system if part of the system is compromised.

Henry Sanders, chief technology officer of Azure Edge and Platforms at Microsoft, said in a statement that the complexity of edge-to-cloud computing means that one-size-fits-all solutions don’t work. He believes more synergy between hardware and software with the Confidential Compute architecture is necessary to foster innovation.

Arm powers everything.

Above: Arm powers everything.

Image Credit: Arm

Lee Caswell, vice president of marketing at VMware’s cloud platform business, said in a statement that Arm’s SmartNICs with VMware Project Monterey introduce a zero-trust security model with the goal of both improved security and better performance across a hybrid cloud.

“Arm is positioning itself as a high-performance and highly secure platform, stepping up its competition with x86 and to stay ahead of RISC-V,” said Kevin Krewell, an analyst with Tirias Research, in an email to VentureBeat. “The System Ready program is designed to improve the standardization of Arm-based chips to ease software compatibility. Arm is also preparing for an eventual merger with Nvidia, with its Mali graphics adding new features that mirror Nvidia’s RTX family.”

Patrick Moorhead, an analyst at Moor Insights & Strategy, said confidential computing is the next frontier in datacenter security, where every link in the chain has “zero trust” in each other. Armv9 incorporates many elements of confidential computing, and so he thinks Realms is a differentiator.

arm panel

Above: Arm panel on confidential computing.

Image Credit: Arm

“It’s all about security against many different attack scenarios from a security perspective,” said Ron Martino, executive vice president and general manager of edge computing at NXP. “This includes both the data and the software IP, dealing with multiple entities, some trusted, some that aren’t trusted. And it also includes ensuring security against physical and remote attacks. So when you think about this whole computing concept and deploying devices, it’s this edge-to-cloud computing concept that is applying confidential computing.”

Dave Kleidermacher at Google said that confidential computing applies both to the cloud as well as mobile devices. He said one of the uses for confidential computing in the cloud is to stop fraud: Data can be extracted from each domain in a chain of payments, and that data that can point to evidence of fraud in a privacy-preserving way.

Richard Searle at Fortanix said the Linux Foundation has been trying to educate the tech community about confidential computing, but there’s still some confusion around it. “There’s still work to be done,” he said. “It’s a new market. But events like this can help get the message about what this new technology can bring to data and application security.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech

US government strikes back at Kremlin for SolarWinds hack campaign

Published

on

US government strikes back at Kremlin for SolarWinds hack campaign

Matt Anderson Photography/Getty Images

US officials on Thursday formally blamed Russia for backing one of the worst espionage hacks in recent US history and imposed sanctions designed to mete out punishments for that and other recent actions.

In a joint advisory, the National Security Agency, FBI, and Cybersecurity and Information Security Agency said that Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply-chain attack on customers of the network management software from Austin, Texas-based SolarWinds.

The operation infected SolarWinds’ software build and distribution system and used it to push backdoored updates to about 18,000 customers. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations. Besides the SolarWinds supply-chain attack, the hackers also used password guessing and other techniques to breach networks.

After the massive operation came to light, Microsoft President Brad Smith called it an “act of recklessness.” In a call with reporters on Thursday, NSA Director of Cybersecurity Rob Joyce echoed the assessment that the operation went beyond established norms for government spying.

“We observed absolutely espionage,” Joyce said. “But what is concerning is from that platform, from the broad scale of availability of the access they achieved, there’s the opportunity to do other things, and that’s something we can’t tolerate and that’s why the US government is imposing costs and pushing back on these activities.”

Thursday’s joint advisory said that the SVR-backed hackers are behind other recent campaigns targeting COVID-19 research facilities, both by infecting them with malware known as both WellMess and WellMail and by exploiting a critical vulnerability in VMware software.

The advisory went on to say that the Russian intelligence service is continuing its campaign, in part by targeting networks that have yet to patch one of the five following critical vulnerabilities. Including the VMware flaw, they are:

  • CVE-2018-13379 Fortinet FortiGate VPN
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway
  • CVE-2020-4006 VMware Workspace ONE Access

“Mitigation against these vulnerabilities is critically important as US and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” the advisory stated. It went on to say that the “NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations.”

A representative of VPN provider Pulse noted that patches for CVE-2019-11510 were released in April 2019. “Customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.” FortiNet in recent weeks has also pointed out it patched CVE-2018-13379 in May 2019. The makers of the other affected hardware and software have also issued fixes.

cves targeted by russia

CISA

The US Treasury Department, meanwhile, imposed sanctions to retaliate for what it said were “aggressive and harmful activities by the Government of the Russian Federation.” The measures include new prohibitions on Russian sovereign debt and sanctions on six Russia-based firms that the Treasury Department said “supported the Russian Intelligence Services’ efforts to carry out malicious cyber activities against the United States.”

The firms are:

  • ERA Technopolis, a research center operated by the Russian Ministry of Defense for transferring the personnel and expertise of the Russian technology sector to the development of technologies used by the country’s military. ERA Technopolis supports Russia’s Main Intelligence Directorate (GRU), a body responsible for offensive cyber and information operations.
  • Pasit, a Russia-based information technology company that has conducted research and development supporting malicious cyber operations by the SVR.
  • SVA, a Russian state-owned research institute specializing in advanced systems for information security located in that country. SVA has done research and development in support of the SVR’s malicious cyber operations.
  • Neobit, a Saint Petersburg, Russia-based IT security firm whose clients include the Russian Ministry of Defense, SVR, and Russia’s Federal Security Service. Neobit conducted research and development in support of the cyber operations conducted by the FSB, GRU, and SVR.
  • AST, a Russian IT security firm whose clients include the Russian Ministry of Defense, SVR, and FSB. AST provided technical support to cyber operations conducted by the FSB, GRU, and SVR.
  • Positive Technologies, a Russian IT security firm that supports Russian Government clients, including the FSB. Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts recruiting events for the FSB and GRU.

“The reason they were called out is because they’re an integral part and participant in the operation that the SVR executes,” Joyce said of the six companies. “Our hope is that by denying the SVR the support of those companies, we’re impacting their ability to project some of this malicious activity around the world and especially into the US.”

Russian government officials have steadfastly denied any involvement in the SolarWinds campaign.

Besides attributing the SolarWinds campaign to the Russian government, Thursday’s release from the Treasury Department also said that the SVR was behind the August 2020 poisoning of Russian opposition leader Aleksey Navalny with a chemical weapon, the targeting of Russian journalists and others who openly criticize the Kremlin, and the theft of “red team tools,” which use exploits and other attack tools to mimic cyber attacks.

The “red team tools” reference was likely related to the offensive tools taken from FireEye, the security firm that first identified the Solar Winds campaign after discovering its network had been breached.
The Treasury department went on to say that the Russian government “cultivates and co-opts criminal hackers” to target US organizations. One group, known as Evil Corp., was sanctioned in 2019. That same year, federal prosecutors indicted the Evil Corp kingpin Maksim V. Yakubets and posted a $5 million bounty for information that leads to his arrest or conviction.

Although overshadowed by the sanctions and the formal attribution to Russia, the most important takeaway from Thursday’s announcements is that the SVR campaign remains ongoing and is currently leveraging the exploits mentioned above. Researchers said on Thursday that they’re seeing Internet scanning that is intended to identify servers that have yet to patch the Fortinet vulnerability, which the company fixed in 2019. Scanning for the other vulnerabilities is also likely ongoing.

People managing networks, particularly any that have yet to patch one of the five vulnerabilities, should read the latest CISA alert, which provides extensive technical details about the ongoing hacking campaign and ways to detect and mitigate compromises.

Continue Reading

Tech

Autonomous trucking company Plus will use AI and billions of miles of data to train self-driving semis

Published

on

Autonomous trucking company Plus will use AI and billions of miles of data to train self-driving semis

This article is part of a VB Lab Insight series paid for by Plus.


The safest drivers are those with the most experience. Studies show it can take years of practice for automobile drivers to become careful and competent road users. Similarly, the more experience a truck driver has the less likely it is that they will cause a serious crash.

What holds true for human drivers holds true for autonomous driving systems — up to a point. The safest self-driving vehicle platforms are those that have accumulated the most experience.

Since driving experience is so important, how can technologists make sure computerized driving systems get the training they need to operate safely on the nation’s roads and highways?

Solving this challenge is the key to unlocking a fully autonomous future.

How computers learn to drive a semi-truck

Thanks to advances in sensor technology and artificial intelligence (AI), an automated truck is capable of analyzing many objects on the road and making a decision about how to respond.

This is accomplished in large part by training so-called “deep learning” algorithms. Repeatedly expose a self-driving system to all kinds of obstacles, from a cut-in vehicle to a construction site, and the system will start to understand how to react when an obstruction appears on the highway.

Here it is important to note that unlike people, machines lack common sense and don’t do well handling novel situations. Human drivers know to slow down in the face of an unexpected obstacle — a bear, say — because we can make decisions based on similar situations we have already encountered or extrapolate from other incidents.

Unlike humans, however, deep neural networks can only learn from data they have been trained on, whether from public roads, closed courses, or computer simulations.

So back to the original question: How do you train the machines so they are exposed to the full range of the driving experience?

Data, data, and more data

Plus’s goal is to help truck drivers on long-haul routes, where they encounter a variety of road and weather conditions. In addition to closed-road testing and computer simulations, the company’s PlusDrive system is learning on the open road, where the trucks can be exposed to real-world obstacles and situations. Junk flying from a pickup bed. Ice slicks. A wind turbine blade. A zigzagging motorcycle.

Plus3

Though these so-called “long tail” phenomena comprise less than 1% of the time behind the wheel, knowing how to safely navigate them is critical for machines. Society expects that a computer-operated machine must be at least an order of magnitude safer than a human driver.

Billions of miles of on-road testing

Starting this summer, Plus will put its supervised automated driving system into factory production. It is also retrofitting existing trucks with the system. By this time next year, hundreds of automated trucks powered by PlusDrive will be on the road, hauling commercial cargo.

Human drivers will be behind the wheel. Like an experienced professional training a new recruit, Plus drivers will monitor the autonomous trucks while teaching them how to handle unexpected obstacles.

Plus estimates that its fleet will accumulate billions of collective miles before the company deploys fully driverless vehicles. Taking an evolutionary approach to full autonomy enables the company to rack up miles more quickly, with the assistance of on-board professional drivers who are training and validating the system.

To support its global deployment in the U.S., China, Europe, and other markets, Plus recently raised $420 million in new funding.

Truck driver retention and low-carbon solution

The drivers benefit too. The Plus supervised autonomous trucking solution elevates the role of the truck driver, upskilling them in preparation for an autonomous future. At the same time a digital co-pilot will ease driver exhaustion on long-haul routes, and fleets will spend less on the hiring process.

The system yields other gains. Fuel comprises about a third of a trucking company’s operating budget, by far the largest cost for heavy trucks. When an automated system understands the road, pulling in GPS and weather data too, they optimize shifting and braking. Plus has run pilot projects showing that  PlusDrive saves 10% of the tank compared to the most efficient drivers, a win for the bottom line and the environment.

The autonomous trucking future, now

Commercial space travel, solar-powered cities, autonomous vehicles — the first two visions of the future depend on specific economic inflection points, while the third is wholly dependent on the amount of data a system has accumulated.

Plus is building the necessary feedback loop of information today. Its trucks are accumulating the data. Its drivers, who are among the safest and most efficient Class A drivers, are training the system with their responses. Its engineers are fine-tuning PlusDrive’s algorithms and decisions. And eventually PlusDrive will be one of the safest and most experienced drivers on the road.

Plus is applying autonomous trucking technology to trucks today. For more information, please visit www.plus.ai.


VB Lab Insights content is created in collaboration with a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact [email protected]

Continue Reading

Tech

Misfits Gaming esports group launches Women of Misfits speaker series

Published

on

Misfits Gaming esports group launches Women of Misfits speaker series

Join Transform 2021 this July 12-16. Register for the AI event of the year.


Esports company Misfits Gaming Group is leaning into female gamers with the launch of its Women of Misfits speaker series, and it will turn into a wider platform over time.

The Boca Raton, Florida-based company will use its fame in esports to elevate issues for women in gaming and esports, and it’s happening at a time when problems such as sexual harassment and under-representation of women at game studios and at esports organizations have been in the headlines.

Women are a prevalent part of the esports and gaming landscape. Nearly 40% of all gamers are female with 80% of them being 18 or older. The Women of Misfits initiative will provide a space for women to discuss ideas and be inspired by influential women both inside and outside the organization in addition to supporting the growth and development of women within MGG. We’ll have a Women in Gaming Breakfast at our GamesBeat Summit 2021 on April 28-29.

The platform will features a series of monthly guest speakers. The first speakers are Chris Evert, 18-time Grand Slam singles champion and tennis legend; GloZell Green, comedian and YouTuber; Bianca Smith, the first Black woman to serve as a professional baseball coach; Angela Ruggiero, CEO Sports Innovation Lab and four-time Olympian and Gold Medalist for the U.S. Hockey team; and Maya Enista Smith,7 am embargo Executive Director of the Born This Way Foundation.

The focus of the Women of Misfits platform will be mentorship, development, network, and advocacy. The platform will be led by female executives within MGG including chief development officer Hillary Matchett; president of media and branding Ella Pravetz; chief revenue officer Lagen Nash; president of Misfits Agency Amy Palmer; vice president of Communications Becca Henry; chief wellness adviser Carolyn Rubenstein; and cofounder Laurie Silvers.

The Women of Misfits platform includes a monthly speaker series with industry leaders and visionaries which will air on MGG’s YouTube channel. The sessions will be moderated by MGG executives and guest speakers will share topics that matter to them and inspire both the gaming community and women to pursue their dreams.

“I am truly inspired and amazed with our women at MGG and their many accomplishments and eager to watch this platform ascend,” said Misfits CEO Ben Spoont, in a statement. “The determination and dedication to push one another to break the boundaries as women within the esports industry is remarkable, and I am confident this platform will resonate not only within MGG but also within our wider community.”

GamesBeat

GamesBeat’s creed when covering the game industry is “where passion meets business.” What does this mean? We want to tell you how the news matters to you — not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it.

How will you do that? Membership includes access to:

  • Newsletters, such as DeanBeat
  • The wonderful, educational, and fun speakers at our events
  • Networking opportunities
  • Special members-only interviews, chats, and “open office” events with GamesBeat staff
  • Chatting with community members, GamesBeat staff, and other guests in our Discord
  • And maybe even a fun prize or two
  • Introductions to like-minded parties

Become a member

Continue Reading

Trending