Software Security

Professor Clark Thomborson

Computer Science Department

Auckland University

NZ Information Security Forum, 1st March 2001

What do we want from Security? Our home & office security systems should

– allow authorised access, and– prevent unauthorised access.

Security systems are imperfect. They will– deny access to an authorised user (type-1 fault),– allow unauthorised access (type-2 fault), and– misdefine “authorised” or “access” (type-3 fault).

Type-1 and type-2 faults are technical defects in implementation or operation.

Type-3 faults result from misunderstandings, disagreements or ignorance of law, ethics, economics, psychology, politics, technology…

Technological Utopia Most technologists prefer “open systems”. Physical analogy: an open door allows access to

anyone (who can “walk up to the door”). Examples of open-access systems:

– Free-to-air television allows unrestricted viewing (if you have a TV in a broadcaster’s area);

– The world-wide web allows unrestricted viewing (if you have a computer, web-browser software, and an ISP).

Virtues:– extreme simplicity;– no type-2 faults (there are no unauthorised accesses!);– wonderful possibilities for interoperability with other

systems.

Type-1 Faults in Open Systems Open systems may be overloaded, denying access

from time to time. Open systems may be subverted, becoming inoperable

from time to time.– A hacker may overwrite my website. (Type-3 fault? I

intend my website to allow open-access for viewing, but not open-access for writing!)

– My email may contain a virus. (Type-3 fault? I intend my email ‘inbox’ to be open-access for incoming mail, and I like the “easy-open features” of MS OE, but I don’t want to lose control of my computer!)

Type-3 Faults in Open Systems

Economic: donations, advertising revenues, subsidies, or other indirect funding may be insufficient to sustain operations.

Legal: civil (e.g. infringement through MP3 downloads) or criminal (e.g. supplying pornography).

Ethical: is it appropriate to value our “right to know” above our “right to privacy” and our “right to fair compensation for work”?

Extreme Solutions

Open systems avoid type-2 faults. Non-responsive systems avoid type-1 faults:

they never allow an unauthorised access! Most well-designed systems have some access

restrictions, in three layers:– Prevention, to limit type-1 and type-2 faults.– Detection, to discover faults.– Response, to minimise future faults.

Prevention Techniques (Controls)

There are three main classes of control:– Ethical controls, e.g. “Thou shalt not steal”;

– Legal controls, enforced by the state;

– Technical controls, enforced by systems design. Example: authentication by passwords, smartcards, or biometrics.

Software security systems allow (and require) new forms of control.

Challenge: the controls in “physical systems” may not have analogues in “virtual systems”.

Ethical Challenges

When I think about copying software or music for a friend, should I pay attention to– “Thou shalt not steal” (Mosaic law) or– “Faith, hope, charity” (Christian virtue)?

We have well-developed ethics to guide our distribution of physical goods: consider water and gold.

We are just beginning to develop an ethics to guide our distribution of software.– Free software:

The Ethics of Free SoftwareJohn Goerzen “Proprietary (or closed) software lacks many of

the benefits that society has derived from the marvels of the industrial resolution.”

“When a proprietary project is developed, there is no peer review.”

“Imagine taking a flight on a jumbo jet designed by only a single person with no safety review from others.”– http://www.complete.org/papers/fsethics/

Emergent Ethics of Software Piracy?

“Insider’s entitlement”: if you’re clever enough to find “warez” then you deserve to have it without paying.

However… A “lamer” is someone who “scams codes off others, rather than doing cracks or really understanding the fundamental concepts.”– The New Hacker’s Dictionary

http://www.tuxedo.org/~esr/jargon

Ethical Analysis of Copyright Samuel Johnson: “For the general good of the world,”

a writer’s work “should be understood as belonging to the publick.” (The public’s right to information.)

Richard Aston: it is “against natural reason and moral rectitude” that a government should “strip businesses of their property after fourteen years.” (The publisher’s right to compensation.)

A Chinese Ethics of Copyright? Pirated software is easily available in Hong

Kong. What is “fair compensation for work” in China?

– Multinationals might pay USD $0.11/hour for labour, is this consistent with copyright charges?

The Confucian ethic of “Wen” implies that Mandarins should produce (but not sell) art.

What were Mao’s thoughts on copyright? China is a signatory to international copyright

agreements. The government promises to enforce the agreements, but I wonder about the process of developing an ethic of compliance.

Legal Challenges

Defining the boundaries of “intellectual property” (law of copyright, patent, trademark, trade secret, as applied to software systems and databases).

Jurisdictional disputes: which nation’s laws should apply?

Distinguishing between authorised use and abuse, especially in open systems: 1 million customers/day at a website is ok, but 1 billion “SYN” messages from a virus-swarm is not ok!

Technical Challenge: Ubiquity

World-wide reachability: billions of potential attackers!

A person robbing a physical bank vault must travel to the vault, and transport the spoils.

A person robbing a “virtual bank” may do so from anywhere on the planet.

Virtual systems and virtual attackers lack “physical presence”!

Technical Challenge: Speed Virtual systems may operate at inhumanly-fast

speeds, overrunning our ability to respond to a new type of attack.

How can we “change the locks” on a virtual door within milliseconds of an attack???

Technical Challenge: Identity

Existing security systems for the physical world rely on millennia of practical and legal experience in establishing identity and responsibility.

“Virtual identity” is in its infancy, although PKI is a good start…

Authorisation in a Virtual World In a traditional library, a person must walk through a

door, in order to view a copy of a book. Technology: locks, library cards, magnetic strips & detectors, ...

In a virtual library, a person delegates authority to a software proxy.– A 14-digit code, when typed on my computer keyboard, will

authorise my web-browsing software to act as my proxy at my University’s online library.

– My proxy can make copies of library materials.– Technology: access codes, passwords, proxies, …– Security issues: unauthorised copying, impersonation.

Type-3 question: What access controls are appropriate for a virtual library?

Technical Challenge: Complexity

A lone attacker can spend a long time analyzing a system before mounting a widespread attack.

The security analyst doesn’t have the luxury of time when analyzing what might be going wrong in a complex system.

A hasty fix may cause more damage than the attack!

Novel Controls on Software Piracy (my research)

We can “obfuscate” software.– Obfuscated software is very difficult for a human to

understand, so it resists “reverse engineering”.– Obfuscated software is functionally identical to the

unobfuscated version. Obfuscation will limit unauthorised

modification of software. It is very difficult to prevent unauthorised

copying, reuse, and resale of software.

Software Watermarking

We can add indelible “watermarks” or “fingerprints” to software.

Any copy of the software, even after common translations (such as decompiling and recompiling) will carry the watermark.

A watermark can identify the manufacturer. A fingerprint can identify the licensed owner. Unauthorised copying can be detected.

Summary Security systems suffer three types of faults:

– Denial of authorised access– Allowing unauthorised access– Inappropriate specification

Access can be controlled by ethical, legal and technological means.

Analogues to physical access controls, such as location, speed and identity, are lacking in software systems.

Software security is in its infancy, however there are partial solutions.