Post on 07-Apr-2017
transcript
CTO, Wheel SystemsFounder of the ZeroTrust Initiative
PawełJakubDawidek<pjd@ZeroTrust.org><p.dawidek@wheelsystems.com><pjd@FreeBSD.org>
TheZeroTrustInitiativeThereisnoSecuritywithoutTransparency
TheZeroTrustInitiativeaimstoimproveoverallITsecurityby
removingforcedtrust
u weareforcedtotrustthevendors
Problems…
u weareforcedtotrustthevendorsu nosourcecodeforproprietaryproducts
Problems…
u weareforcedtotrustthevendorsu nosourcecodeforproprietaryproductsu noreproduciblebuildsforopen-source
Problems…
u weareforcedtotrustthevendorsu nosourcecodeforproprietaryproductsu noreproduciblebuildsforopen-sourceu trustedbuildenvironment?u securedistribution?u reproducibleinstalls?
Problems…
Whoisright?
„Ifitcannotbeveri:ied,itcannotbesecure”
Whyisthatimportant,exactly?
„Besuspiciousofcommercialencryptionsoftware,especiallyfromlargevendors.MyguessisthatmostencryptionproductsfromlargeUS
companieshaveNSA-friendlybackdoors,andmanyforeignonesprobablydoaswell.It'sprudenttoassumethatforeignproductsalsohaveforeign-
installedbackdoors.Closed-sourcesoftwareiseasierfortheNSAtobackdoorthanopen-sourcesoftware.”
BruceSchneier
Nosourcecode
„ThankstotherecentNSAleaks,peoplearemoreworriedthaneverthattheirsoftwaremighthavebackdoors.Ifyoudon'tbelievethatthesoftwarevendorcanresistabackdoorrequest,theonusisonyoutolookfora
backdoor.Whatyouwantissoftwaretransparency.”prof.EdwardW.Felten
Nosourcecode
u compilersu compilationoptionsu headersu librariesu timeu buildenvironmentsmetadatau Lilesystemmetadatainarchivesu signaturesu proLile-guidedoptimizations
Noreproduciblebuilds:different…
Source:MikePerry,SethSchoen
u Howsmallcanabackdoorbe?
Noreproduciblebuilds
Source:MikePerry,SethSchoen
u Howsmallcanabackdoorbe?
Noreproduciblebuilds
OpenSSH3.0.2(CVE-2002-0083)-privilegeescalationtoroot
- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
Source:MikePerry,SethSchoen
u Howsmallcanabackdoorbe?
Noreproduciblebuilds
cmpl $0x0,0x8(%ebp)
js 16
mov 0x4,%eax
cmp %eax,0x8(%ebp)
jle 30
mov 0x8(%ebp),%eax
mov %eax,0x4(%esp)
movl $0x4c,(%esp)
call 25
Assembly
cmpl $0x0,0x8(%ebp)
js 16
mov 0x4,%eax
cmp %eax,0x8(%ebp)
jl 30
mov 0x8(%ebp),%eax
mov %eax,0x4(%esp)
movl $0x4c,(%esp)
call 25
Source:MikePerry,SethSchoen
u Howsmallcanabackdoorbe?
Noreproduciblebuilds
39 45 08 7e 1a 8b 45
Binary
39 45 08 7c 1a 8b 45
Source:MikePerry,SethSchoen
u Howsmallcanabackdoorbe?
Noreproduciblebuilds
39 45 08 7e 1a 8b 45
Binary
39 45 08 7c 1a 8b 45
01111110 01111100
Source:MikePerry,SethSchoen
u Howsmallcanabackdoorbe?
Noreproduciblebuilds
39 45 08 7e 1a 8b 45
Binary
39 45 08 7c 1a 8b 45
01111110 01111100
Asinglebit!
Source:MikePerry,SethSchoen
u HugeefforttoverifyTrueCryptu On-goingworkonreproduciblebuilds(Tor,Debian)u Moreawarenessamongdevelopersneededu ReLlectionsonTrustingTrust,1984KenThompsonu CounteringTrustingTrustthroughDiverseDouble-Compiling,DavidA.Wheeler
Noreproduciblebuilds
u Howcanyoufeelsecurewithoutit?
Completeend-to-endindependentveriLication
Development
Build
Distribution
Installation
Developmenttrusteddevelopmentenvironment
Build
Distribution
Installation
trustedbuildenvironmentreproduciblebuildstrustedsigningenvironment
signedsourcesignedbinariesbinarytransparency
secureinstallationofkeyssignaturesveriLicationreproducibleinstallation
u publiclyavailablealgorithmsu extensivepeerreviewu publiclyavailablecryptoanalysisresults
Cryptography
u secret,home-growncryptouncommon
Cryptography:theresult?
u secret,home-growncryptouncommonu thestrongestlinkinthechain
Cryptography:theresult?
u agenciescanaskorforceorganizationstoputbackdoors
Whynottotrust?
u agenciescanaskorforceorganizationstoputbackdoorsu peoplecanbecriminals
Whynottotrust?
u agenciescanaskorforceorganizationstoputbackdoorsu peoplecanbecriminalsu peoplecanbebribed
Whynottotrust?
u agenciescanaskorforceorganizationstoputbackdoorsu peoplecanbecriminalsu peoplecanbebribedu peoplecanbeintimidated
Whynottotrust?
u agenciescanaskorforceorganizationstoputbackdoorsu peoplecanbecriminalsu peoplecanbebribedu peoplecanbeintimidatedu peoplecanbeincompetent
Whynottotrust?
u agenciescanaskorforceorganizationstoputbackdoorsu peoplecanbecriminalsu peoplecanbebribedu peoplecanbeintimidatedu peoplecanbeincompetentu people’scomputerscanbehacked
Whynottotrust?
u don’tdestroybusiness
TheSolution
u don’tdestroybusinessu proposealicenseforauditing/reportingpurpose
TheSolution
u don’tdestroybusinessu proposealicenseforauditing/reportingpurposeu encourageandpromotereproduciblebuilds
TheSolution
u don’tdestroybusinessu proposealicenseforauditing/reportingpurposeu encourageandpromotereproduciblebuildsu talktotoolchainvendors
TheSolution
u don’tdestroybusinessu proposealicenseforauditing/reportingpurposeu encourageandpromotereproduciblebuildsu talktotoolchainvendorsu talktoplatformvendorstomakeveriLicationpossible
TheSolution
u don’tdestroybusinessu proposealicenseforauditing/reportingpurposeu encourageandpromotereproduciblebuildsu talktotoolchainvendorsu talktoplatformvendorstomakeveriLicationpossibleu proposewaystoprotectIP
TheSolution
The Ultimate Goal
ZeroTrustasanaturalelementofsecurityhygiene
Thoughquestions/Commomconcerns
V:Wemakemoneybysellingoutsoftwareanddon’twanttodestroyourbusinessbygivingitawayforfree.
ZT:TheZTIdoesn’texpectyourcompanytostartgivingproductsforfree.ZTIwillproposealicensethatwillallowtoreleasethesourcecode,butonlyforauditingandreportingpurposes.
Commonconcerns
V:Wedon’twantourcompetitorstouseourcodewhichwewillreleaseasOpenSource.
ZT:WithZTIlicensethatwouldbeillegal.Yourcompetitorwillalsohavedisadvantage,becauseofnotreleasingthecode.
Commonconcerns
V:Ourcurrentcodeisamess.Wealsohavebinaryblobsfromothervendorsandnochancetogetthesourcecodeforthat.
ZT:Thendon’treleaseit.Wefullyunderstanditmightbetooexpensiveandtooriskytoreleasecurrentsourcecode.Butwhenyoustartbuildinganewproduct,doitaccordingtotheZTIideology.
Commonconcerns
V:Itwon’twork,nobodywillbeinterested,wearetoobigtotry.
ZT:Startinsmallsteps.ReleaseZeroTrustversionofyourproduct,withlimitedfunctionalityandseewhatthemarketwillchoose.
Commonconcerns
V:Howabout,toslowdownthecompetitors,wewillreleasethesourcecodesometimeafterreleasingthebinaries?
ZT:Badidea.Thismeanspeoplewhocare,willneedtowaitforyourproducttobecomepossibletoverify.
Commonconcerns
V:Openingthesourcecodesolvesnothing!Noonewilleverbeabletoauditmyentirecodeanyway!
ZT:That’spossible,ofcourse,butthat’snotcrucial.Peoplemaywanttoauditthecodeoncetheysuspectsomething.IndependentpartiesmayauditthecodeandIcanchoosewhototrust.Itismuchmoreriskytoputabackdoorintoaproductwithopensource.
Commonconcerns
V:Opensourcesoftwarelesssecure,becauseitiseasiertoLindsecuritybugs.
ZT:Yes,itiseasiertoLindbugs,but…
Commonconcerns
TimetoLindasecuritybug
Open Source
Closed Source
0m 12m 24m 36m 48m
Agencies Cybercriminals Whitehat community
Commonconcerns
TimethebugcanbeexploitedbyCybercriminals
Open Source
Closed Source
0m 12m 24m 36m 48m
Agencies Cybercriminals Whitehat community
Commonconcerns
12m
24m
12m<24m
TimethebugcanbeexploitedbyGovernmentAgencies
Open Source
Closed Source
0m 12m 24m 36m 48m
Agencies Cybercriminals Whitehat community
Commonconcerns
18m
36m
18m<36m
V:FormyproducttoworkeffectivelyIcannotdisclosethesourcecode.Forexamplespammerswillquicklylearnhowtobypassmyanti-spamsolution.
ZT:Sure,itisyourcall.ReleaseasmuchsourcecodeasyoucanandletyourcustomersdecideifthisexplanationconvincesthemormaybetheywillpreferZTalternative.Youmayalsodesignyoursoftwaresothatbinary-onlyfunctionalityisclosedinatightsandbox(lookoutforside-channelattacks).
Commonconcerns
V:HowcantheZTIideologybeappliedtocloudserviceproviders?
ZT:Wedon’tknowyet,buttarsnap,sync.com.
Commonconcerns
V:I’mavendorfromtheUSAandafterEdwardSnowdenleaksnobodytrustsmeanymore.WhatdoIdo?
ZT:Boy,dowehavegreatnewsforyou!JointheZTIandrebuildyourtrust!
Commonconcerns
u don’tblindlytrustthevendorsu havingsourcecodeisalwaysbetter,butbesurethesourcecodematchesthebinaries
u startlookingforZeroTrustproductsu supportvendorsthatapplyZTIeveniftheyprovidealternativeversionsoftheirproducts-showthemthatyoucare
u imagineyourwholeITinfrastructurebuildontopofZeroTrustproductsanditwillbeso!
Tosumup…