Date post: | 17-Jan-2016 |
Category: |
Documents |
Upload: | george-watson |
View: | 221 times |
Download: | 0 times |
Partha Dasgupta, Arizona State University
Consumer Identity and Consumer Identity and Consumer Computing SecurityConsumer Computing Security
Rev.2–Feb. 2004
Background
Personal Authentication Stop ID theft
Hardware Based Security Beyond TCG HTM – Hardware Trust Management
Software based security STM – Software Trust Management
If I didn't wake up, I'd still be sleeping.
““Look what a fine mess Look what a fine mess you've gotten us into, Ollie!”you've gotten us into, Ollie!”
Fine Mess?
The Internet for the masses, deployed about 9 years ago Internet security measures phased in over the next 3-4
years: SSL/IPSec firewalls antivirus software. IDS systems Certificates
Yet the e-commerce infrastructure is totally insecure Viruses, Phishing attacks, Scams, Social Engineering
Identity theft and financial embezzlement are increasing at an alarming rate
Pharming attacks, Rootkits more insidious methods coming
The Problem
Private information is easy to compromise Viruses, keyboard sniffers, rootkits Getting common and threats are significant
Financial and business information at risk Money is involved Losses can be large (even if consumers are not held responsible)
Trusted platform designs are immediately needed All known software methods are at risk Rootkits are undetectable
Viruses have “unlimited power” Steal, cheat, fool, spoof, masquerade, change input/output
A nickel ain't worth a dime anymore
Personal Identity Security
Identity A property of humans, devices, entities Authentication: “What you know, what you have and who you are”.
Transactions run on behalf of Alice MUST be initiated by Alice, with the knowledge of Alice.
Identity assurance in the present day is irretrievably broken.
Shared Secrets do not work
The Undeniable Truth:Any “private” information can and will be misused.
System Security
Network Security has been studied in depth and countermeasures deployed effectively
Sniffing TCP-IP stack attacks Firewalls Replay attacks Modification Attacks DoS attacks
DoS vs. other attacks DoS is not in the same class
System Security has taken a back seat Virus detectors Not effective
Nero fiddled while Rome burned
“What is your Threat Model?”
To design effective security procedures we need a good threat model
Threat models formalizes risks Solutions can be tailored to meet risks contained in the threat model Realistic threat models are needed Threat models can be “too strong”
The network security solutions are based on the “Internet Threat Model (ITM)”
Hosts are Secure, and trustable, the network is not.
What is a good threat model for system security?
You should always go to other people's funerals. Otherwise they won't come to yours.
The Thompson Threat Model
Ken Thompson, Turing Award Lecture 1984
Reflections on Trusting Trust
Bottom Line: If you did not write the code, and the
compiler and the assembler you cannot trust a program
Software cannot be trusted.
Ken Thompson: “The moral is obvious. You can't trust code that you did not totally create yourself….
“No amount of source-level verification or scrutiny will protect you from using untrusted code…..
“A well installed microcode bug will be almost impossible to detect….
Viral Threat Model
The Thompson Threat Model (TTM) is “too strong”, Viral Threat Model (VTM)
Network can be trusted; Hosts are not to be trusted. Network security solved all network problem Even without security, networks are remarkably secure
Why? Viruses are pervasive and anti-viral software is myopic and
ineffective. General purpose software has continually shown vulnerabilities.
If all software is subject to viral threat, then the VTM becomes equivalent to TTM.
Modify the threat model to include trusted software
You've got to be very careful if you don't know where you're going, because you might not get there.
Viral Threat Model
Viral Threat Model (VTM) Network can be trusted; Hosts are not to be trusted. Network security solved all network problem Even without security, networks are remarkably secure
Why? Viruses are pervasive and anti-viral software is myopic and
ineffective. General purpose software has continually shown vulnerabilities.
– (Will not get fixed, installed base is large)
If all software is subject to viral threat, then the VTM becomes equivalent to TTM.
Modify the threat model to include trusted software
Modified Viral Threat Model
Some software is assumed to be immune to viral attack
Weaker, ineffective?
Cannot prevent every attack – but
Can we make threats low incidence and tolerable?
Like crime in society? Detection, punishment, effective policies? “Trust but Verify”
Commodity applications have (and will have) vulnerabilities
Commodity Operating Systems have (and will have) vulnerabilities
We made too many wrong mistakes.
Bottom Line
No PKI, no security
Secure processors need a “human in the loop”
Human in the loop means the need for a human to see securely and communicate securely
Secure Display Secure Keyboard (not software controlled)
Programmability may be a curse
Multi Factor Authentication
What you know.
What you have.
Who you are. Password
ID Card
Biometrics
Sniffable, phishable,
leaky
Depends on the card
VERY VULNERABLE – not to be used for ID
at a distanceID theft vulnerability
Multi Factor Authentication
What you know.
What you have.
Who you are. Password
ID Card
Biometrics
Sniffable, phishable,
leaky
Depends on the card
VERY VULNERABLE – not to be used for ID
at a distanceID theft vulnerability
Public Key Infrastructure
Too complicated(for consumers)
Unnecessary Everything works “all right” without PKI No one understands PKI Will my grandma use PKI?
Reality Check – nothing is working “all right” right now!
Public KeyPrivate Key
CertificateCertificate Authority
Keep this secret
Why PKI?
Can shared secret elimination be done? Make all “secret information” public (privacy is a separate issue). Use public keys as ID and challenge response as the authentication
technique Need mobile gadgets that work in e-commerce as well as brick and
mortar locations “Smart Cards” – PKI enabled
Bad news: This approach is vulnerable to the VTM.
DoD Common Access Card A well designed authentication system….. But……
Common Access Card Private Keys are Secure on the card Challenge response ensures non-spoofable identification and
signatures Certificates provide MITM resilience All transactions can be signed by the card
A virus on the host can trick the card into performing signatures and challenge responses without the owner’s permission
PIN Phishing Malicious Log-on Fraudulent Signatures and transactions Possible software download vulnerabilities
Solution?
Human in the Loop Each time a PKI operation is
performed a human has to know what is going on
Need out of band methods for verfication of trasactions
Cell phone calls?
Research Issue 1: How to put the human in charge?
Research Issue 2: How to minimize human interference,
without compromising security?
This is Secure
Yeah, Right
Security Appliance
ComputerApplications
Web BrowserPlug-insViruses
Secure Processor
PKI softwareKeys
CertificatesTrusted keys
NOT secure
Secure – preferably non-programmable
More Secure Devices
Mobile devices Movable devices Wireless enabled Infrastructural
devices Server Security
Products Anti Virus Protection “Secure Downloads”
“Secure”Processor
Bus Access
OS
Check the OS for untrusted
code
Check the Applications for untrusted code
Applications
MVTM Software Approach
How to secure computing systems under the MTVM?
What is the solution under MVTM? Some software has to be declared trusted! Trusted software: Functions as advertised, independently verified,
cannot be “easily” compromised Compromise of trusted software should be detectable Hardware techniques may be used to “check” or “verify” Trust delegation – trusted software can declare other software to the
trusted (trust level would be lower). Leads to hierarchies of trust.
Above solution is a start, we plan to refine it.
Two Approaches
The Software Approach A VMM that is trusted [augment with hardware
checking] The VMM checks on the OS Add vault features to VMM [not advisable, see later] Secure human I/O needed
The hardware approach Have a hardware “OS” in hardware Vault + Checker for software OS [similar to the software above] Works independently from the software (is the “boss”) Has complete access to physical memory (and virtual memory) Secure human I/O needed
Both approaches need “Human in the Loop”
Hierarchical Trust Management
Chain of “Checkers” Levels of Trust
Need not be single chain
Attacking a VMM
Application
OS
VMM
Rootkit the OS
Rootkit the VMM
Install Attack Code
Attacker
VMMs are not impervious, but they may be harder to attack and can be made hardened
Securing the VMM
VMM is small, vulnerability testing can be simpler (hopefully)
Do not include networking support in VMM Do not include security/trust management in VMM
VMM can check OS for rootkits OS can run virus detectors for applications “Signed applications only” for secure systems
Add a special trusted system as a HOS on VMM: Security Manager - SM
SM can check VMM for rootkits [verification] VM can check SM for rootkits [verification]
The Software Trust Manager
SM is a small OS+Application suite that runs in a separate virtual machine
It has at least the following: Network Stack and Termination SSL-IPSec terminations NAT Server, DHCP Key Vault + Signature software Stores hashes of
applications/OS/VMM Stores trusted public keys Secure I/O to human
Functions: Checking Software, Signature
Verification Digital signatures Human in the Loop - policies
Why Humans?
SM needs to “talk” to a human, and know its talking to a humanWHY?
Sign financial transactions Authentication, logging into secure sites Updating keys, certificates Updating hashes, trusted public keys Provide Alerts More?
HOW? Separate hardware channel, separate hardware display/keyboard
No system can be made secure without a secure human interface!
Key things
Security =Private keys + humans + key vaults + hash checks on software
PKI is essential for authentication (shared secrets are a problem).
“Trusted Public Keys” and “Trusted Hashes” need human verification
Any financial transaction signing should use human verification
Bottom Line: Prevent viruses, and yet assume viral attacks will happen and create defenses for that situation
Trusted Hardware TCG/TPM
A good direction Hardware is resilient to tampering, cannot be reprogrammed easily Secure vault for keys/certificates
Vulnerabilities TPM can be “fooled” by viral software TPM is under the control of the OS – can be bypassed
Complex software layers – may have vulnerabilities
If the world were perfect, it wouldn't be.
The HTM Approach
Use a Hardware Module to check the Operating System
HTM must have secure I/O to user
Combined Trust Hierarchy
Hardware Checker
VMM
SM
HOS
Antivirus
Signed apps
app
app
app
Near Term Research Plan
Fast Prototyping: VMM off the shelf with minor modifications SM: Application run on stock OS SM: Add cryptographic protocols and SM: Secure I/O is simulated Hardware checker is an FPGA board VMM OS rootkit detector, with simple hashing scheme
Testing and Verification Insert code into applications and operating systems using “helpers”
to check detection capabilities Attempt to update VMM or SM and/or hardware simulator
I really didn't say everything I said.
Conclusions
System Security is the next frontier Cryptography is useless when keys can be stolen Shared secret schemes are bad, public keys can be
ineffective too.
Integrated design needed: Human Verification Some hardware or robust software
+ protocols + protocols + policies