Post on 14-Apr-2018
transcript
Secrets and LiesSecrets and Lies
a summary traversal of Bruce Schneiera summary traversal of Bruce Schneier’’s books book
David Morgan
Page 1Page 1
Complexity is the worst enemy of security.
security,
earlier
security,
later
complexity,
earlier
complexity,
later
decreasing
increasing
Trajectory of our industryTrajectory of our industry
BECAUSE
“As systems get more complex [they do], they necessarily get more secure.”
Security of computer systems is a Security of computer systems is a
business problembusiness problem
� a business uncertainty
� cost/benefit
– what does it cost the business (not somebody else) to be
secure?
– what does it cost to not be secure?
– which is the better deal?
� treated by risk management
Standardized practice, regulation,enforcementStandardized practice, regulation,enforcement
� employment workplace
� environment
� air traffic
� building and civil engineering
� food and drug
� accounting
� computer products
“There's no reason to treat software any differently
from other products. Today Firestone can produce a
tire with a single systemic flaw and they're liable, but
Microsoft can produce an operating system with
multiple systemic flaws discovered per week and not
be liable. Today if a home builder sells you a house
with hidden flaws that make it easier for burglars to
break in, you can sue the home builder; if a software
company sells you a software system with the same
problem, you're stuck with the damages.” p. 8
33--step to sweeten the security dealstep to sweeten the security deal
� enforce liabilities
� allow liability transfer among parties
� reduce risk
Enforce liabilitiesEnforce liabilities
� create (negative) incentive to be secure
– prevailing vacuum no liability � no incentive � no security
� enforce liabilities, proportion to parties
– maker of vulnerable software
– author of attack tool that exploits it
– user of attack tool (“attacker”)
– sysadmin for victim network
Enforce liabilitiesEnforce liabilities
� who gets the blame?
– 100% sysadmin
– 0% tool user
– 0% tool author
– 0% maker
� why?
– available to blame
– can’t catch him
– can’t catch him
– liability unenforced
what if this changes?
Allow liability transfer among partiesAllow liability transfer among parties
� insurance industry
– assuming liability is their business
� incentivize higher security with lower premiums
Provide mechanisms to reduce riskProvide mechanisms to reduce risk
� automatic by makers, pursuant to incentive
� security standards set, centralized, required by insurance industry
� outsourcing to firms that security-specialize
THE
LANDSCAPE
what are the issues we need to address
Idle claimIdle claim
� “this software is secure”
� idle because it is incomplete
– does not address the system, only the product
– does not address threat
� idle because it isn’t possible to attest
– security weakness is about what you don’t know
– you do not know what you don’t know
– therefore you do not know your security weakness
Windows 10 promotional videoWindows 10 promotional video
10-reasons-to-upgrade-to-Windows-10_security.mp4
…against what?
““most secure evermost secure ever”” probably meansprobably means
� Windows 10 fixed more security vulnerabilities
� added more security features
– than ever
It doesnIt doesn’’t meant mean……
� that it’s the most secure Windows ever
� that Microsoft knows whether it is
� that that’s knowable
� security is not black and white
� “We are secure” is naïve and simplistic
– secure from whom?
– secure against what?
� security of the system, not the product, counts
� context matters more than technology
– security against average hacker ≠ against NSA
– what is the size of the fire?
The landscape The landscape –– themesthemes
Some preSome pre--digitaldigital
threatsthreats
� theft
� embezzlement
� voyeurism
� extortion
� fraud
– snake oil
� impersonation
Threats in the digital ageThreats in the digital age
� theft
� embezzlement
� voyeurism
� extortion
� fraud
– snake oil
� impersonation
Threats in any ageThreats in any age
� bad guy has a business model too
� asset he threatens is worth only so much to him
� useful to good guy to understand that model
– that way you might influence bad guy’s motive
(threat components: agent, means, opportunity, motive)
So whatSo what’’s new with threats?s new with threats?
� automation
– salami attack
� action at a distance
– the world’s pickpockets are all in your house
� technique propagation
– first attacker needs skill, others use his software
Technique propagation
So whatSo what’’s new with threats?s new with threats?
� physical theft
– stolen material gone
– you can no longer use it – basis of legal injury
– availability and integrity violated
� digital theft
– stolen material still there – no similar injury
– you can still use it
– availability and integrity preserved
AttacksAttacks
� criminal
� publicity
� legal
Adversaries classifiedAdversaries classified
� objectives
� access
� resources
� expertise
� risk
AdversariesAdversaries
� hackers
� lone criminals
� malicious insiders
� industrial espionage
� press
� organized crime
� police
� terrorists
� national intelligence
� infowarriors
Security needsSecurity needs
� privacy
� multilevel security
� anonymity
� authentication
� integrity
� audit
� electronic currency
� proactive solutions
TECHNOLOGIES
what tools do we have to address the issues
Tools for offense and defenseTools for offense and defense
� cryptography
� network
� software
� hardware
� etc - to discuss another day mostly, but:
– Schneier devotes 12 chapters to “Part 2: Technologies”
– I want to discusss “Computer Security” and “Software Reliability”
CIA triad againCIA triad again
Access control is centralAccess control is central
� early, computer security stressed confidentiality
� because early research was military
� But confidentiality is about access control
� So are integrity and availability
� C, I, A all boil down to access control
– C � about access for reading
– I � about access for writing
– A � about access in general itself
� goal: authorized people have access to do what’s authorized, everyone else does not
Need access control?Need access control?
� first computers – small scale, full trust
� became multi-user at scale
� personal computers, single-user
� networking – multi-user at scale
no - yes
Access Access –– subject & objectsubject & object
� subject
– user
– processe
� objects
– file
– database record
– device
– memory region
– another process (plug-in)
Controlling accessControlling access
Control what can be done to objects
– permissions
– e.g. permission mechanisms in particular
filesystems, ext or ntfs or…
or
Control what subjects can do
– capabilities
– e.g. database management systems
are these different methods, or different perpectives?
Security modelsSecurity models
� multi-level
– formalization of military classification/clearance
� Bell-LaPadula
– no write down, no read up
� mandatory vs discretionary access controls
� chinese wall
� clark-Wilson
Security at low level (hardware/OS)Security at low level (hardware/OS)
� reference monitor
– active, explicit mediation of every access
� trusted computing base
– set of components that collectively enforce a
security policy
� secure kernel
– (sub)set of components in the trusted computing
base that implements the reference monitor
specifically
Multics operating systemMultics operating system
� most successful historical implementation
� built with the security model and mathematical formalisms explicitly in mind
� small, 56,000 lines of code
– 15 million in Windows 95
– linux similarly large
� last Multics system deactiveated 2000
Covert channelsCovert channels
� communication channel that can transfer information in violation of a system’s security policy
� storage channels
– least significant bits of color bytes in an image file
– reserved or user-definable fields in packet headers
� timing channels
– port knocking
– non-covert timing channel: Morse code
http://funtranslations.com/morse#
Evaluation criteria
� Orange book
– hierarchy of security level designations
D, C1, C2, B1, B2, B3, A
– did not make systems provably secure
– for local, stand-alone computers, not networked ones
– varies from other nations’ standards efforts
� Common Criteria
– international standardization effort
Software reliability
� Murphy’s computer
– must work in the presence of random faults
– adversaryless
� Satan’s computer
– must work in the presence of deliberate faults
– witted adversary
Murphy’s Law: Anything that can go wrong, will go wrong.
STRATEGIES
now what are we going to do about it all
Things you should keep in mind Things you should keep in mind
when you are securingwhen you are securing…… what?what?
� object of the verb: “the entire system”
– all your organization’s computer infrastructure
– plus your extended environment (not just equipment)
� your office space
� your people
– plus your telecommute workers’ homes
– plus your road warriors’ hotels
– plus your trusted vendors’ “entire systems”
– plus your ISP, plus your cloud provider, plus, plus, plus…
� Security is
– a chain, weakest link breaks it (weak link == vulnerability)
– a process, not a product
Security as a process/practiceSecurity as a process/practice
� the math doesn’t fail
� the implementation of it fails, the process of using the math
– sometimes I don’t buckle my bike helmet strap
– sometimes I mis-distribute my crypto keys
� implementation could even exacerbate
– iatrogenic effects – “iatro” doctor, “genic” originated
– disease caused by treatment
Attack methodologyAttack methodology
� Plan what to attack
� Plan how to attack
� Get in
� Do it
� Get out
– Cleanse traces
– Check evidence of how system is maintained
– Install a future path back in
� weak links in the chain
� intersection of
– system susceptibility
– attacker access to it
– attacker capability
� vulnerability � “attack surface”
– network attack surface
– software attack surface
– human attack surface
VulnerabilitiesVulnerabilities
http://www.spi.dod.mil/tenets.htm
CountermeasuresCountermeasures
� ways to reduce vulnerabilities
� 3 parts
– protection
– detection
– reaction
Vulnerability landscapeVulnerability landscape
� physical security
� virtual security
– firewall == fence
– authentication == gate guard
� the trust model
– without benefit of an individual’s physical presence
� lifecycle of a system
Lifecycle of a systemLifecycle of a system
� design
� manufacture
� shipment
� installation
� operation
� maintenance
Each stage is an opportunity for possible insertion of vulnerable components.
Rationally apply countermeasuresRationally apply countermeasures
� protect against threats that pose greatest risk
� not against most manifest, ignoring all others
� value depends on context
– attacker, defender may ascribe different value
– teenagers steal floppies for value of the disk itself
Threat modelingThreat modeling
� figuring out all the ways to
– rig an election
– defeat secure communication
– subvert electronic payment systems
� beacause your personality can’t help it
– Mr. Cook model
� assess risk
– some unlikely
– some should be expected
– which should you protect against?
Threat modelingThreat modeling
� identify and risk-rank threats
� decide a security policy to defend against them
� design countermeasures to effect the policy
– protection
– detection
– reaction
Product testing and verificationProduct testing and verification
� beta (functional) testing doesn’t test security
� security is independent of functionality
� products should “do what they’re designed to do and no more”
– why “and no more”?
� beta testing tests that they do what they’re designed to do
Security testingSecurity testing
� can show presence of flaws
� cannot show absence of flaws
� trust comes only from long, broad, uneventful usage, not testing
– RSA probably OK
– prime factoring probably infeasible
Patch Patch ≠ fix
� heartbleed public announcement & patch concurrent
� one minute later nothing was fixed
� one year later is heartbleed fixed?
The future of productsThe future of products
� getting more complex
– lines of code in successive Windows versions
– number of function calls in OS’s
� so, getting less secure
� ever increasing insecurity (worse than entropy!!)
More complex, less secureMore complex, less secure
� number of security bugs
� modularity (exposure at interfaces)
� interconnectedness of systems
� more unknowable
� less susceptible to analysis
� increased testing requirements
Sun is gone, IOT is hereSun is gone, IOT is here
“Complexity is creeping into everything…. My old
thermostat had one dial…. My new thermostat has a
digital interface and a programming
manual….Thermostats based on Sun Microsystems’s
“Home Gateway” system come with an internet
connection, so you can conveniently contract with some
environmental company to operate your too-complicated
thermostat. Sun is envisioning Internet connections for
all your appliances and your door locks.”
-- year 2000
Security processesSecurity processes
� old approach
– prevent threats
� new approach
– accept threats, detect them and respond
– manage the risk they pose
“Risk management is the future of digital security. Whoeve learns how
to best manage risk is the one who will win. Insurance is one critical
component of this. Technical solutions to mitigate risk to the point
where it is insurable is another…. The prize doesn’t go to the company
that best avoids the threats, it goes to the company that best manages the
risks.” look at the credit card industry