Cloud Hopper

When is a system secure?

Security features vs. assurance

The world of IT infrastructure is intimately familiar with virtual machines (VMs) for dynamically dividing large amounts of server hardware to run different applications and improving the total cost of ownership (TCO) on IT investments. Increasingly, this technology is shifting from inside premises to cloud infrastructure and, in time, we will see this infrastructure reside between the cloud and the Enterprise... Yes, the infamous “Edge” word.

This opens up new attack threats.

Infrastructure companies have largely secured the “front door." The focus for hackers, however, has always been to look for the weakest link. There have been reports of bringing down infrastructure via the cooling systems as one example. Toward the end of 2019, the results of a detailed investigation by the Wall Street Journal  were released (details here, subscription required). Cyber security investigators first identified aspects of the hack, called Cloud Hopper by the security researchers who first uncovered it. The attack came in through cloud service providers, where companies thought their data was safely stored. Once they got in, they could freely and anonymously hop from client to client, and defied investigators’ attempts to kick them out for years. A number of analysts have commented since on some of the considerations resulting from this attack.

Security features are necessary to protect fundamental system integrity, data authenticity, and data privacy properties. There is a limit however; a point at which a system gets too complicated and costly for those managing it to know whether those features are properly deployed.

Given our connected world and the use of highly virtualized hardware, it is fair to take a step back and ask:


What are the necessary features?


What is protecting them from subversion?


How do you know when the system is protected?


How do you know the system will stay protected?

The answer(s):



cost of insecure software


Estimated global spend on security software by 2021

CVEs in 2018 alone

Industrial BG 10

Assurance means knowing a system is secure

At a high level, a secure system is a system that behaves precisely as the IT stakeholder expects it to and is resilient to subversive attempts to change its behavior over the lifetime of the system. More concretely, it is a system running on an authentic processor that hands control to the software platform in an authentic state—the platform then enforces a policy consistent with the stakeholders expected behavior and is resilient to subversive change attempt from all exposed interfaces.

"Assurance is often what separates actually secure systems from ones that are merely claimed to be secure."

—Steve Bellovin
Columbia University Computer Science 
AT&T Labs Fellow
NetBSD developer



It starts with the processor

Regardless of what security technology IT stakeholders choose to invest in, it is important to understand that at the bottom of any IT security solution is a processor and resource management software that security features inherit. Far too often the foundational integrity properties of CPU and software platform level services are taken for granted.

  • What good is a whitelist if malicious threads can masquerade in authorized processes?
  • Of what use is a hypervisor if guests can escape?
  • How valuable is a malware detector if the detector can be compromised?
  • What good is hard drive encryption if authentication keys are leaked?
  • What if an application can extract all physical memory data through a side-channel?

LYNX MOSA.ic™ Automotive Platform


Building Assurance

Requires a robust foundation

Adopting any digitization security technology requires careful technical scrutiny to claims of assurance, interoperability with legacy systems, and life cycle maintenance costs. The architecture configuration language of LYNX MOSA.ic allows developers to design in security properties of system devices that must be trusted and need to survive in hostile environments.

With LYNX MOSA.ic, evaluators of security properties such as government authorities or safety managers can trace configurations down to processor hardware control, providing formal evidence of robustness and resulting in a holistic approach to system security. Our emphasis for our product roadmap in this area, aligned with the company's vision, is focused on helping companies create robust software stacks for autonomous platforms. More of this will be discussed later in 2020. Click below to learn more about LYNX MOSA.ic or to request an evaluation version.


LYNX MOSA.ic™ Logo

Examples of relevant security designs include:

  • Boot Security
  • Data Protection:   Data-In-Transit, Data-At-Rest
  • Data and Control Plane Separation
  • Separation of Enterprise and  Control Networks
  • Read-only Monitoring