Sekhar Avutu

Upgrading Disk Encryption Software with OpenSSL3.0. NIST SP 800-154: Data-Centric System Threat Modelling. Threat analysis for Data-at-Rest with S-T-R-I-D-E method. Solutions against: - Spoofing - Tampering - Repudiation - Information disclosure - Denial of service - Elevation of privilege. Threat analysis for Data-at-Rest using Confidentiality - Integrity - Availability triad. Advance Encryption Standard modes of operation for Data-at-Rest. NIST SP 800-38A - AES Block-Cipher modes of Operation. Implementing Proof of Concept (PoC): Confidentiality, Integrity, Availability, Non- Repudiation, Authentication, Access Control for Data-at-Rest. RFC 5903 - Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2. Implementing Elliptic Curve Deffie- Hellman Key Exchange - ECDH-384, ECDH-521 for IPsec. Cyber Security Check: Automating Race condition detection in multi-threaded programs for Static Code Analysis Tool. Design reviews for Cyber Security Solutions - Disk Encryption Software, IPSec, Fire wall, Static Code Analysis Tool etc. Initiation of Elliptic Curve Deffie Hellman key Computation and Storage in Trusted Platform Module (TPM).

Architecting, Reviewing and implementing Cyber Security features for Automotive domain. Architecture risk Analysis for docker content trust for use in Automotive domain. Architecting and Implementing Content/Image/Asset trust using digital signature with docker content trust and Elliptic Curve Crypto System - NIST-SECP-384 Curve (Standards for Efficient Cryptography Group) for Automotive domain. Architecting Over the Air Firmware Upgrade, Secure boot, Secure/Encrypted Filesystem, Dynamic key agreement protocol(Elliptic Curve Deffie-Hellman key exchange, Elliptic Curve digital signature algorithm) using docker trust and Elliptic curve crypto system for Automotive domain. Architecting and Implementing In vehicle network layer firewall for connected car. Real time, Automated protection against common internet threats using network layer firewall for connected car. PKI tool kit, Certificate Authority for connected car. Integration with SIEM tool. Cyber Security test setup, Packet generation simulations for connected car. Risk Auditing using Nmap, Mitigation design and Implementation. Integrating connected car with SIEM, Security Event Format.

The objective is to export configuration settings from the UTM appliance including Interface settings, Zone settings, DNS settings, Appliance access information, User accounts, Firewall rules, IPS signatures and Antivirus signatures in XML format and to import settings from self and competitors exported configuration files. LibXML is used while exporting XML based configuration. While importing, parsers are written to extract necessary information from self, sonic wall, Forttgate and Astaro configuration files.

The objective is to log events with source and destination countries resolved from source and destination IP in IPv4 packets violating firewall rules, mail traffic policies, IPS policies, Virus signatures and Content filtering policies. A country DB is maintained with country codes and corresponding IP addresses for each country and a set of APIs were written to resolve IP to Country. In this way the source and destination countries are added to the standard event for anomalous traffic detected by various modules in UTM.

The objective is to provide the feature of Layer-7 protocol filtering using Netfilter-Iptables framework. L7-filter is a classifier for the Linux Netfilter that identifies packets based on patterns in application layer payload. This allows correct classification of P2P traffic and it can classify packets such as HTTP, Jabber, Citrix, Bittorrent, FTP, eDonkey2000 etc that uses unpredictable ports as well as standard protocols running on non-standard ports. Unlike most other classifiers, it doesn't just look at simple values such as standard port numbers; instead it does regular expression matching on the application layer data to determine what protocols are being used. Netfilter extensions were written for matching the signatures of application protocols and were loaded in INPUT, OUTPUT and FORWARD chains in filter table through iptable commands.

The objective is to filter the fragmented IP packets and IP options enabled packets from entering the network. Netfilter modules were written and registered at INPUT, FORWARD and OUTPUT chains to filter the IP packets with more fragments bit enabled and IP options bit enabled. In this way reconnaissance attempts based on source routing and record routing are blocked.

The objective is to analyze performance of Linux kernels compiled with and without delay accounting statistics enabled. Bandwidth and latency of Linux kernel with various accounting statistics enabled are tested with the set of tools available in Lmbench and the results are documented.

The objective is to implement SNMPv3 protocol in UTM appliance for supporting secure SNMP query and response transactions between SNMP manager and agent (UTM appliance). User Security Model (USM) with MD5, SHA1, SHA-2 as message integrity models and DES, Triple DES, AES-128, AES-192 as privacy models was implemented. View Based Access Control (VACM) was implemented based on role based access to access Management Information Base.

Implementing a user container(User Application) for Advanced Encryption Standard with CBC, CFB, CTR, ECB, GCM modes of operation for real time Encryption/ Decryption crypto operations over Zephyr RTOS. An AES user tool is implemented to interact with user container.

Designing Trusted Firmware upgrade manager tool, new end-to-end security protocol for Firmware upgrade, Secure boot authentication. Designing/ Implementing Secure Software Development Lifecycle for IIoT, Upgrading PKI standards with SUITE-B and CNSA algorithms. Threat analysis and mitigation design for firmware features. Participating in Cyber Security trainings. FreeRTOS, ECC, X.509, NIST, TLS, TCP, IPv4, IPv6. Cyber Security Architecture reviews, Risk analysis and mitigation design, NIST standard suite, End to End security design, AWS IOT Authentication and Authorization. End to End Secure mutual authentication protocols and firmware upgrade protocol in public key infrastructure using NIST standard suite of Elliptic Curve Crypto System with X.509 certificates over TCP/(IPv4/IPv6) networks. Implementing Certificate Authority, CA signing for domains relevant to food and beverages, Building Automation, Home Automation, Electric Utilities, Security Solutions, IoT, Network Security Appliances, Embedded devices using NIST Standard suite of Elliptic Curve Crypto System. Certificate Authorities for food and beverages Industry. Certificate Authorities for Home Automation, Building Automation industry. Certificate Authorities for Electric grid, Utilities. Certificate Authorities for Security Solutions. Certificate Authorities for Enterprise networks. Certificate Authorities for Network Security Appliances, IoT devices, IoT gateways, Embedded devices. Secure Handshake protocols, Session Creation protocols(By location, by machine ID, by Inventory information etc etc), Dynamic key agreement protocols for Secure boot, for firmware upgrade, for device connectivity, for monitoring device health using NIST Standard suite of Public Key Cryptography algorithms and Elliptic Curve Crypto System. Cyber Security Architecture Reviews, Threat Analysis, Mitigation Design. End to End Secure Application Security protocol design suitable for scalable cloud application to embedded device(s) with RTOS and Elliptic Curve Crypto System, Digital Signatures for Mutual Authentication, Non Repudiation. Symmetric Key Exchange for Confidentiality (also for use in HMAC algorithm) using Deffie-Hellman key Exchange, Symmetric Key Exchange for Confidentiality (also for use in HMAC algorithm) using Digital Signature backed by Elliptic Curve Crypto System,SHA. SHA for Integrity check. Session Creation, Session Termination, Option to add Additional Authentication with User identity, by Location, by Inventory information. Authorization with user privillages based on User Identity, Role, Location etc. (AppSecProtocol)/TLS/TCP/(IPv4/IPv6)/(Physical Media). at. scalable cloud application. <<===to===>> (AppSecProtocol)/TLS/TCP/(IPv4/IPv6)/(Physical Media). at embedded field device(s) with RTOS. Suitable for Secure Connectivity, Secure firmware upgrade over the air, Secure boot authentications, for Secure Monitoring the health of remote Embedded device and for securely controlling the remote embedded device. Reference from NIST Roles and responsibilities: Threat analysis and mitigation design for firmware features: Secure Boot, Firmware Upgrade, Role Based Access Control, IPv6. Solution design against IP spoofing, Man in Middle, Deprecated PKI standards. Involved in Cyber Security Blue-Team Activities.

Implementing windows event logging feature for BACNET Application Server. Implementing SYN flooding mitigation using SYN proxy and IP blacklisting. Implementing DDoS mitigation using SYN proxy, SYN request rate and IP blacklisting. Implementing SSL/TLS session manager and APIs to create secure X509 certificates for license creation, public key validation and digital signatures. Implementing BACNET Application Firewall to create BACNET filter rules. Roles and responsibilities: Architecting and implementing Cyber Security requirements, Creating the technical documents for the features implemented. Integrating BACnet application server to SIEM.

Implementing and upgrading the public key infrastructure with Elliptic Curve Crypto System using open SSL package and NIST standard. Porting gxRemote connectivity mobile application to ARM64 bit platform. Implementing crash recovery tool for MPICRX intrusion detection system. Secure M2M protocol design and implementation using XTEA cipher. Implementing static and run time memory leak detection framework. Upgrading / Architecting software licensing module with new Security framework for mpicrx intrusion detection system. Roles and responsibilities: Architecting and implementing Cyber Security requirements.

Secure equipment connectivity project is to remotely connect PIC micro controller available on chiller controllers to the remote monitoring site using cellular network and collecting BACnet(Building Automation and Control network) trend data for predictive maintenance of the chiller equipment meeting the scalability requirements and update interval requirements. The system consists of chiller controller, gateway device located at field and supports BACnet protocol. The Communication agent software located at remote monitoring site is responsible for collecting BACnet trend data and forwarding it to azure IoT hub. Implemented Entrust certificate based TLS authentication and upgraded CommAgent to Gateway communication from earlier used self signed certificates to Entrust based authentication. Maintained, redesigned and implemented the features required for MMS Emulator (Used by QA) to support scalability needs of the system. Implemented rest call application using the ADD-ONs provided as a proof of concept to be used by customer. Implemented performance tuning framework by implementing simulators needed (Simulating WEBCtrl and MMS Emulator) and tuned the system performance to the required update interval. Implemented auto installing windows features required by CommAgent, access control feature for CommAgent , Designed and implemented gateway device status state machine at CommAgent. Implemented user notification (through email) feature in the event of finding inactive gateway and inactive BACnet field device. Upgraded the system from TLS1.0 to TLS1.2 based authentication. Implemented SSL server in MMS Emulator and upgraded the scalability test setup to TLS1.2 based authentication. A single CommAgent was implemented for mainline and scalability tests and improved the overall system performance (update interval) as per the scalability requirement. A quality solution was delivered to the customer meeting all the requirements and assisted customer in installing CommAgent. The objective of Remote Connectivity phase-2 solution is to support 2000 BACnet devices connected to CommAgent and seamlessly collect trend data and forward it to azure Iot hub using AMQP protocol. A stateful, multi threaded, scalable and event driven Bacnet Trend service proxy is designed and implemented for collecting trend messages and the collected data was forwarded to IoT hub through AMQP protocol. Ported Cimmetrics BACNet stack to CommAgent Application and implemented trend service proxy using Cimmetrics stack. Provided pre installation and post installation support for the customer and received positive feedback on the solution.

Objective is to implement TR181 data model for IPv6 involving Router advertisement daemon, DHCPv6 server, DHCPv6 client, Sixrd and DSLite features. Implemented the data model with SLAAC, SLAAC+Stateless DHCPv6 and Stateful DHCPv6 on LAN side and Stateful DHCPv6, Prefix delegation, Sixrd and Dual stack lite on WAN side.

GS2000 project is to enable internet of things with any embedded device having serial port to connect to the network. GS2000 SOC connects to network on behalf of host MCU and allow the host MCU to do network related operations like Scan,Connect, creating TCP/UDP client servers etc. The objective is to implement socket callback API over NetX TCP/IP stack. NetX is light weight TCP/IP stack with small foot print provided with ThreadX RTOS. Two APIs were written for applications to register callback functions to be invoked for certain events in NetX stack like event when data is received on TCP or UDP, client connection request event on listening server port, connection reset event due to retransmission timeout and disconnect events. Setsockopt was implemented for TCP_MAXRT, TM_TCP_MAX_REXMIT and TCP_KEEPALIVE options. The objective is to port Serial to Wifi application to ThreadX. Serial to Wifi application include an AT+ command interface that takes input through serial port from host MCU , a light weight TCP/IP network stack and WLAN interface to interact with the WLAN CPU. S2W application running on APP CPU does the appropriate action based on the commands received from the host MCU. The commands ported include creating TCP client server, UDP client server, wireless association, scan, disconnect etc. The objective is to enable IPv6 in GS2000 project. Enhancements are made to the WLAN interface in layer-2 to accept IPv6 packets, multicast packets and to initialize and autoconfigure for link-local address during network initialization. Setup an IPv6 network and tested the functionality with both stateless auto configuration and state-full configuration with DHCPv6. Implement IPv6 related AT commands in serial to wifi application. The commands implemented include creating TCP and UDP client servers over IPv6, setting manual link-local and global IPv6 addresses to interface, DNSv6 look-up, PINGv6 etc. The objective is to implement DHCPv6 server targeted for embedded networks. Gone through RFC 3315 and implemented DHCPv6 server with options to assign IPv6 addresses when the node runs in limited AP mode. Tested with multiple clients and integrated with GS2000 project. The objective is to implement DNSv6 server targeted for embedded networks. Gone through RFC 3596 and modified existing DNSv4 server to support IPv6 record types when the node runs in limited AP mode. Implemented corresponding AT commands, done unit testing and integrated with GS2000 project. The objective is to implement network connection manager when the node runs in station mode. Network connection manager maintains a state machine and auto connects to the configured network. Responsibilities includes designing state machine for various L2 and L3 network connection related events, optimizing the state machine and testing it. The objective is to implement roaming feature in network connection manager. With roaming enabled, NCM connects to the highest RSSI AP available when RSSI drops below the threshold. Responsibilities include implementing and testing the roaming feature. The objective is to implement MDNS over IPv6. Implemented host name registration service registration, service announcement, service discovery. Modified NetX to accept IPv6 MDNS multicast packets with multicast address FF02::FB. Implemented corresponding AT commands. The objective is to resume dhcp thread across standby and perform renew and rebind operations based on the standby sleep time. Implemented the feature, unit tested and integrated in GS2000. The objective is to support FQDN in network connection manager. NCM operates with FQDN and connects to resolved IP address. Handled time to live for FQDN and Implemented the feature, unit tested and integrated in GS2000. The objective is to handle IP conflict detection in LAN during DHCP. Implemented the feature with gratuitous ARP response handler by sending DHCP decline message and rolling back to the static IP. Unit tested and integrated to GS2000. The objective is to reduce the connect time in network connection manager by optimizing the NCM state machine. Implemented the feature by introducing a new state in NCM with state variables obtained from previous connect state. Unit tested and integrated in GS2000.