Separation at the silicon, foundation

For secure laptops

Market trends

A US-centric survey by the Ponemon Institute in January 2020 highlighted that attacks against endpoints are growing while detection is getting harder. Some of the datapoints which were of particular interest include the following:

  • An average of 80% of successful breaches are new or unknown "zero-day attacks"
  • The average time to apply, test, and fully deploy patches to endpoints is 97 days
  • Endpoint detection and response technology not in use
  • Investigations continue to highlight that companies are often unaware of hacks for months. One example was the revelation that that hackers were in Citrix’s networkfor five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents

The National Security Agency/Central Security Service (NSA/CSS) Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years. Comparable approaches will be embraced by a diverse set of Enterprises that, in the post COVID-19 era, must maintain security levels with an increased number of employees working completely or more regularly from remote locations on networks with questionable security levels.

1

PRIVACY

Sending metadata up into the cloud as opposed to data that is traceable back to a specific individual.

2

LATENCY

Some data are better made locally, in real-time, as opposed to being sent to the cloud for processing.

2

COST

A fraction of the data being sent to the cloud is being mined effectively for analysis... but it is all being stored, which costs the enterprise a significant amount of money.

 

"Industry 4.0"

The integration of robust data analytics...

 

Increasing challenges to security

$

Average cost of a breach (2019)

%

of successful attacks are zero-day

Days to fully apply a patch

 

Lynx Solution

Lynx is supporting a US customer who is creating a CSfC compliant platform. The program is based on Dell 5590 Laptop with support for Windows 10 and Ubuntu 18.04 LTS running on LynxSecure. In normal operation, a user plugs in the laptop into Ethernet LAN and boots the machine. A session manager is loaded. If a LAN is detected, an authentication option with be launched to load a “protected session”. The user logs into protected sessions using network authentication and/or physical security tokens.

The system supports the following system functionality

  • Pre-boot authentication with network detection
  • Laptop power management functionality, graceful shutdown/sleep
  • Self-encrypted drive
  • Boot Security UEFI Support / BootGuard
  • Laptop shall use UEFI to verify SRP integrity and authenticity
  • Ubuntu Guest Support

By adding a partition dedicated to host an “unprotected Windows” instance, the Lynx technology will still enforce the protected Windows to only connect via VPN, while the user’s unprotected Win10 can have normal web access.

Lynx Software - Secure Endpoint Diagram

 

 

 

LynxSecure Logo drop shadow

 

Founded on security

The LynxSecure separation kernel is able to allocate hardware resources (CPU cores, memory and IO) to specific virtual machines in a fine-grained way. Once those allocations are made and the system boots, they cannot be adjusted. Unlike other hypervisors there is no helper OS. In a laptop application, this means that this type of platform offers

  • No hypervisor/management login
  • No hypervisor administrator user
  • No remote unprotected OS code execution into secure OS
  • No unprotected OS denial of service against secure OS
  • No dynamic system modification
  • No hypervisor/management console applications

After the secure boot of the system and the immutable boot-time hardware partitioning, strict isolation of applications is enforced

  • One guest operating system cannot access another guest’s resources
  • LynxSecure cannot access a guest’s resources
  • DMA Capable devices cannot access a guest’s resources

Because of the system security being enforced all of the time

  • Data encryption is always on
  • VPN functional is always on
  • USB device insertion is always off

LEARN MORE

LYNX MOSA.ic™ Automotive Platform