Meetings at Spaceport America, Virgin Galactic’s human spaceflight headquarters, and common work interest on suborbital space tourism got the innovators together to work on their idea of solving the cybersecurity challenge through innovation. In a virtual interaction, the Co-founders of Fraisos spoke to Minu Sirsalewala, Editorial Consultant at CISO MAG, and shared their mission, vision, and solution, as it appraises a non-traditional IPO as its next growth step.

Fraisos is a U.S. based company founded in 2017 through a Department of Defense Small Business Innovation Research (SBIR) Program. It believes it discovered the solution to the government’s cybersecurity challenges based on its next-generation cyber-defense innovation.

Also Read: Rags to Riches! The Evolution of Ransomware Operators

A common love for innovation and technical expertise in semiconductors, computer science and hardware engineering, mathematics, physics, electrical engineering, and U.S. Government programs brought the three founding members, Dr. Lindsay O’Brien Quarrie, Dr. Lawrence John Dickson, and Robert Montgomery Fryer, together to collaborate and offer solutions to cybersecurity challenges.

Dr. Lindsay O’Brien Quarrie, the Chief Executive and Technology Officer (CETO), articulated, “The challenges basically come from an excess of complexity, allowing communication to penetrate to places where it isn’t supposed to. The solution we came up with is to impose simplicity and force communication to happen only with those communication partners as intended by the actual needs of the program. We have devised a way to apply a simple old technology from the 1980s, called Communicating Sequential Processes, the Best Way of Doing Parallel Programming. A book that I published in 2014 described a very simple approach to it, using standard software. And, it gives you a hardware-software equivalent if applied correctly.”

Elaborating on the technique, Quarrie shares that this technology fits in well with the current scenario due to the hardware-software equivalent. The software can be made to behave exactly like an isolated piece of hardware communicating through a point-to-point link; it’s one intrinsically subordinated operating system.

On the software side, it is like putting a wrapper around your system, monitoring the communications, and restricting the communication – both internal and external.

“The advantage here is that when there are updates and a new version releases, there is no need to look at the binary code of the program. The solution will ensure that there is no access to the actual kernel of the device, and any attempt at execution of non-approved activity will be denied,” explained Quarrie.

Lower Cost Cyber Defense

There is a direct cost implication when there are version upgrades, there is a restriction and futile costs are avoided both on upgrades and security. The system has the intelligence to identify which upgrade is required and what app needs to be on the system, thereby ensuring no communication from within, which could open a window and make the system vulnerable to any cyberattack.

The isolation approach is about securing the critical parts of the system by controlling the access in a simplified way. This allows securing the system at multiple levels without compromising its performance and efficiency. As a result, it reduces cyber defense’s total implementation and maintenance costs by avoiding version skew.

The Solution

The products and service offerings include defined systems, formally and physically verified cyber defense (maps to physical reality) for embedded systems, smartphones, tablets, laptops, desktops, industrial controls, medical devices, and all embedded systems that boots and their associated systems. Quarrie opines, “We deal in realism, and run counter to the trend of abstraction and avoidance of detail. This enables us to be strong in the whole area of computer programming and design that has ‘gone fallow’ due to an increasing monoculture of trendy, ultra-abstract languages. We can step in wherever necessary, to get a tight grip on a device’s actual behavior (100% of the time, not just 99%). This includes strict security in the age of ransomware.”

Math and the Physical Sciences provide many ways to look at a large array of problems. These basics, plus a large dose of innovation, often illuminate an approach outside the mainstream and where new opportunities can be found. This is true, especially since technology provides many new tools to apply to old problems.

A Quantum Proof cyber defense, based on realism — rejects the abstraction trend and insists on verifiable, simple, predictable device behavior. “Components in our designs communicate according to explicit protocols which are exposed and not hidden, thus imposing restrictions that make security and predictability possible and understandable.”

Mission and Vision

Dr. Lawrence John Dickson’s book, Crawl-Space Computing (Amazon, 2014), is inspired by the classic computing paradigm, Communicating Sequential Processes (CSP), its implementation in the language OCCAM, the 1980-1995 era Transputer chip, and the product series. This is the basic premise on which the three members built their solution, with a mission for the consumers to take back control of the computer and the embedded systems. The consumer is the custodian and true owner, versus the hacker owning you.

A property that is central to all their design: Hardware-Software Equivalence (HSE), means that it is formally verifiable that software written in this way is equivalent to hardware devices communicating by point-to-point data-passing channels. (It is related to Rushby’s separation kernels but more general.)

This opens up a massive variety of design approaches that behave predictably. As overly-abstracted devices run into walls of failure and malware, our mission is to uphold this ‘countercultural’ alternative that can solve the same problems clearly and understandably. HSE allows us to devise approaches that combine an outer CSP-type structure (the Finite Resource Allocator, or FRA) with inner ring-fenced nodes using standard computing tools (the Intrinsically Subordinate Operating Systems, or ISOSs), thus giving a shortcut to understandable effectiveness and explaining the company name FRAISOS (Finite Resources Allocator Intrinsically Subordinated Operating Systems).

With a vision to create a niche in the cyber security market, Fraisos is actively building its customer base with targeted research and production projects, emphasizing government customers, especially military and local government, protecting cities, municipalities, large and small businesses.

Quarrie emphasizes, “We have a simple, common-sense approach and tools. Predictability, reliability, and security of complex computing devices have been failing around the edges, and our approach solves this and makes clear the reason why it is solved.”

With a professional market evaluation of $155.1 M from Foresight Valuation in Silicon Valley, Fraisos’s principal investor is Space Sciences Corporation, from the research and development domain.

The current reality is that hackers can penetrate through these existing methods because the existing approach consists of layers and patches with holes for gaining access and are mostly “whack a mole.”

Quarrie echoes, “We are innovative by opposing complexity, where we try to make things more simple, not more complex. A system can be as complex as they like, but when they get to the outside world, they get to it through a very simple interface and a well-defined way of communication that’s been known since the 1980s. For example, take any classic car — we can still do a complex task without computers. But the task gets subdivided into simple components that interact with each other in a well-defined fashion. And that’s the path we’re taking. And there’s a lot of room for that path to be taken in the future.

Complexity causes disaster, and a lot of rocket ships have blown up. Fraisos believes in going ‘Back to the Future,’ and essentially being future proof at the same time.”

———————————————————————————————

References

Multiple Peer reviewed Formal Verification Proofs and acceptance Validated by IEEE Computer Society, COPA 2021, NSA, DoD.

Competitive SBIR awards Phase I and Phase II.

Follow-up in the N152-087 (Secure Electronic Kneeboard Across Multiple Security Levels on COTS Devices).

Founders of the new IEEE Concurrent Processes Architectures (IEEE COPA) and Embedded Systems group stepped in when CPA went offline due to COVID-19 and published a peer-reviewed conference proceeding in 2021.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

About the Author:

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.

More from Minu.

The post Harness Your System, No More a ‘Whack-a–Mole’ appeared first on CISO MAG | Cyber Security Magazine.

One was not sure about the reason behind the outage, and with cyberattacks being the order of the day, there was high speculation of a possible cyberattack responsible for disrupting the services.

Competing platforms like Twitter, Snapchat, Telegram witnessed a traffic surge with people seeking clarification, poking fun, and sharing updates on the outage.

Facebook itself had to resort to tweeting to reach out to its user base and update on the unavailability of the service.

We’re aware that some people are having trouble accessing our apps and products. We’re working to get things back to normal as quickly as possible, and we apologize for any inconvenience.

— Facebook (@Facebook) October 4, 2021

The Technical Fallout

Facebook soon came up with an apology and an update on the technical reason behind the outage. The company said the problem was due to faulty configuration changes made to Facebook routers. These are the routers that coordinate the network traffic between their data centers. The routers could not communicate and hence caused the services to halt. In technical terms, this concerns the Border Gateway Protocol (BGP).

What is BGP?

Border Gateway Protocol is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rulesets configured by a network administrator.

In plain English, BGP routes information between networks across the Internet. BGP interconnects various networks and facilitates communication between networks and the rest of the Internet.

Santosh Janardhan, VP Infrastructure, Facebook, shared on his page, “Our services are now back online and we’re actively working to fully return them to regular operations. We want to make clear that there was no malicious activity behind this outage — its root cause was a faulty configuration change on our end. We also have no evidence that user data was compromised as a result of this downtime.

We’ve been working as hard as we can to restore access, and our systems are now back up and running. The underlying cause of this outage also impacted many of the internal tools and systems we use in our day-to-day operations, complicating our attempts to quickly diagnose and resolve the problem.”

Industry experts and sources are voicing it as a DNS issue where BGP routes (or maps) have vanished.

Cloudflare, an American web infrastructure and website security company, in its blog described it as a BGP problem.

From trusted source: Person on FB recovery effort said the outage was from a routine BGP update gone wrong. But the update blocked remote users from reverting changes, and people with physical access didn’t have network/logical access. So blocked at both ends from reversing it.

— briankrebs (@briankrebs) October 4, 2021

In the most recent update, Facebook attributed the problem to an internal command error.

“During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally. Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command,” Facebook shared.

There has been an internal and an external view of the reason behind the outage and this instance leads to numerous other issues related to security and vulnerability.

Per Forrester Senior Analyst, Alla Valente, Security & Risk (Risk Management), “In Facebook’s quest to integrate its products and underlying technical infrastructure into a single platform is the concentration risk it creates for the company, where a single risk event that produces a cascading effect – in this case, the inability of their machines to talk to one another brought the company to a standstill. Concentration risk is one of the top systemic risks for 2021 that Forrester identified early this year. And Facebook’s size, market share, and ubiquity make it a system into itself. If the company doesn’t get better at managing its risks across the organization, it stands to lose its tight hold it’s been struggling for years to maintain.”

The post Facebook Outage – Was it a BGP hijack? appeared first on CISO MAG | Cyber Security Magazine.