Post on 20-Jun-2020
transcript
Reflections on “Trust Evidence”
Jonathan M. Smithjms@cis.upenn.edu
Computer and Information Science
University of Pennsylvania
ONR MURI N00014-07-1-0907
Review Meeting
June 10, 2010
Cyberwarfare, botnets and trust
Report Documentation Page Form ApprovedOMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.
1. REPORT DATE 10 JUN 2010 2. REPORT TYPE
3. DATES COVERED 00-00-2010 to 00-00-2010
4. TITLE AND SUBTITLE Cyberwarfare, botnets and trust
5a. CONTRACT NUMBER
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) University of Pennsylvania,Computer and Information Science,3451Walnut St,Philadelphia,PA,19104
8. PERFORMING ORGANIZATIONREPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited
13. SUPPLEMENTARY NOTES MURI Review, June 2010. U.S. Government or Federal Rights License
14. ABSTRACT
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as
Report (SAR)
18. NUMBEROF PAGES
20
19a. NAME OFRESPONSIBLE PERSON
a. REPORT unclassified
b. ABSTRACT unclassified
c. THIS PAGE unclassified
Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
11/4/09 ONR MURI Review 2
What is cyberwarfare?
• Attacks against adversary using computers as
weapons
– And, defense against such attacks
• Goal is attack/defense of nation(s)
– Issues are scale, capabilities, willingness
11/4/09 ONR MURI Review 3
Kinetic versus Cyber
Attribute Kinetic Cyber
EffectsVariable (largely known,
e.g., guns, bombs)
Variable (largely
unknown)
Coverage Limited by materiel Global
Speed Limited by transport Possibly instantaneous
Cost (as %GDP) Significant Insignificant
Industrial base important? Yes No
Attributable Yes, at scale Not clear, at any scale
11/4/09 ONR MURI Review 4
Example: Estonia
• http://www.nytimes.com/2007/05/29/technology/2
9estonia.html
• Affected government, banks, newspapers
• Example of “Denial of Service” attack
• If you depend on the net
– Availability: your packets get through
– “Best effort” (IP service) not enough
– 1M machines send one 1KB packet/second
• 8 Gbits/second – overwhelms most links
11/4/09 ONR MURI Review 6
Attribution (who did it?)
• Kinetic weapons: easy
• Internet: source addresses not needed for
routing, anonymity tools
11/4/09 ONR MURI Review 7
Botnets
• Can botnets be eliminated at the host?
– Same question as “can hosts be made secure”
• Can they be detected and defended against?
– DDoS major threat
• We demonstrate detection of the command and
control is hard
11/4/09 ONR MURI Review 8
Humanets
• Routing via smartphone wireless LAN ports
• Could do epidemic routing
– Overloads network
• Smarter use of smartphones
– Look for “promiscuous” host …
– That is also likely to move towards destination
• Does it work?
11/4/09 ONR MURI Review 9
Capture data from G-1
:nandaah
.!....-
0 ottsville
0 Jamaqua
Lancaster
llersvllle
~Pep.n . ~ ee
Bridgeton u
0 ;.ttllville
Dover....._ ....... ___ _
0 Hammonton
Egg Ma s
0 Harbo r Ctty
y- 1( Landtng 1
b
11/4/09 ONR MURI Review 11
Are locations predictable?
CD E 0 I c .r.
~ -c CD (.) ..... CD
11..
1
0.8
0.6
0.4
0.2
0
~Pep.n ~ ee
~I :: t 0 l I I I I I
'\ t • r 1 • ''• ! t' l J : ~ : t t~ :. ·~1 J • ~ : ~ ,., 1\ l =~ h: = ~ . ; : ~ 1
• ~ ),
: 1 ~ I t If: :: :'ft I I " ~ : ~ ~ I I I I t 10 ' 1 ~ : ~ .·:1011 t ~ 1110 01 : \ i 1: :, ::,
;, ~~ ~~ 11
1 I ~ t l 1 1 II 11 ~1 I
11~1 ~It I l
I I ft 1 l1 lllltl I t ' to I I .II It I I I ~ I I I tl . ..... I I t•l•t ~ I I • 't II t l I I tl I t I fll I I I ~ ' :~ I II I I I 1 ~ 1 I I • ffl I • I I ' l A I I t il
~~ ~ ,:: ;:~: :: ~ ::-::::-.::II ~ I: ! ~ .r. : ~: ~ .: .:: .. :: 1 : :·· : ·~· "'1 • I -; t 116 II 1 tf 11 U f 1 II If I I I I f t ~I tl 1 o ., It I ~ I 11 I I t
1! I 1
1 : i
I ~~ I I: ~ : : t ! , : l,l : ~ I I; :: : it ~ • = : I :· ~ ~ ,: II 1: :, : : : !1J1 I' :t 1 1 I II 'J 11 1 I " , , ~ I: i ~ • ::~~ :: : I
1 I :. It 1f J j _ 1 1 .. • I I 1 : l 1 ~ I 1 I I I J 11 I f' I: 11 'it I I : r. 1
~I n:: l ~r "~:~.~: : :• ~ t I ~ Itt lt l : : :
I I : : ' I;; ' I I • ~: : · .. . : •· I 1 1 ~~ ~ ~ ~~~ • • 1 f t ~ 111 .. ~ : .. : I I .. '• '• ,.... ~ ~ . ... :~ .. \ ! ;: ~: ru l~ . ! : !jj ! ;.
\f:! I II ~ • 'i
r ~~
Sep/04 Nov/04
Regular+lrregular Time
Jan/05 Mar/05
11/4/09 ONR MURI Review 12
It works pretty well on the data…
c 0
:;::; (.)
~ u. Q)
> ~
~ ::J E ::J ()
1
0.8
0.6
0.4
0.2
•' ... - .· .. •'
I
,' I" ,.·
I
' / I I
I I I I I I , : I I , ' I
' I I I ,
I I I
I I .
I I I I , I I I I I I I I I I
' . ... . ..· i ....... ··· I
I , ,,,l' I • I •
~' ... ·
.•·•··· .. /
/ :~ ....
.. · .. ·· l.,..:
'!' .. ......... •··
, .......... .
... ·· ' ,.,.-··
.. ···· (:
/
.... ·· ... ········
.............................. ···
HumaNet Routing (85% success) -Flooding (76.3% success)
Flooding w/prob 5% (60.3% success) ·········· Random Walk w/prob 5% 28.7 success) ··········· · ......
0 ~--~----~----~--~----~----~----L-~-L----~
0 500 1 000 1500 2000 2500 3000 3500 4000 4500
Latency (minutes)
~Pep.n . ~ ee
11/4/09 ONR MURI Review 13
Impact?
• Completely decentralized C&C net
– 85% delivery in 12 hours
• Easy to use for botnet or …
– Wherever short commands are enough
• Hard to detect (you have to be local)
• Hard to block
11/4/09 ONR MURI Review 14
Trust: What is it?
• Trust is the expectation that the right thing will
happen for the right person at the right time and
at the right place
• Various factors can increase or decrease this
expectation
– Unknowns (and unknowables?)
– Adversaries
• 100% and 0% not achievable, but how close?
11/4/09 ONR MURI Review 15
Reasoning about Trust
• Trust is often based on transitive trust
– I trust Alice since I trust Bob and Bob trusts
Alice
• But degree of trust is more subtle
– I trust Alice less than Bob, with whom I vacation
(i.e., my knowledge of Bob is better, and direct)
• Trust is dynamic
– More experience with Alice, Bob cheats me, …
– As examples show, increases and decreases
11/4/09 ONR MURI Review 16
Dependencies and Independence
• Trust is often based on assumptions of trust
– This creates a chain of dependencies
– See Thompson, “Reflections on Trusting Trust”
• Most SW systems assume HW trusted
– “FPGA Viruses”, Hazdic, Udani, Smith, FPL „99
– “Overcoming an Untrusted TCB”, Hicks, Finnicum, King, Martin, Smith, S&P ‟10
• Desiderata: Independent attestation
– Thinking Bayes: Pr(good) = 1-Pr(bad1)*Pr(bad2)*…
11/4/09 ONR MURI Review 17
Blaze, et al., “Trust Management” supports
dependent and independent trust
PRINCIPAL
- U.S. Customs -PRINCIPAL
- A U.S. Citizen -
-POLICY-- CREDENTIAL STORE -
-COMPLIANCE
CHECKER-
-INTERFACE-
local policycryptographically
signed
credentials
naming
DISTRIBUTED authorization and compliance checking
Policies may be dynamically introduced by multiple authorities
11/4/09 ONR MURI Review 18
BIOS 2Level 1
Root of Trust – Arbaugh‟s AEGIS (Oakland „97)
BIOS 2BIOS 2Expansion
ROMs
Level 2
BootBlock
Level 3
SoftwareEnvironment Level 4
BIOS 1NetcardLevel 0
TrustedRepository
Network
11/4/09 ONR MURI Review 19
Evidence of Trust
• Multiple independent sources for attestation
– E.g., voting TPMs with secured access (crypto)
• Minimal dependent sources
– Rely as much as possible on differential integrity
– Secure Boot on TPM
• Robust integrity checks
– Chaining Layered Integrity Checks
• Dynamics – situational awareness
• Recovery strategies using independence
11/4/09 ONR MURI Review 20
Local Policy Context
Information
Decision
Meta-Policy
Reputation
Database
Request
&
Credentials
ActionPolicy
Evaluation
Engine
Decision
Maker
Reputation
Algorithm
Reputatio
n
Quantifier
TDG
ExtractorTDG
TV
Compliance Value
FeedbackPolicy-Based
Trust Manager
Reputation-Based
Trust Manager Decison Manager
Quantitative Trust Management (Eurosec ‟09)