1

Pullman AucklandMONDAY, 9TH MARCH 2015

Pullman AucklandMONDAY, 9TH MARCH 2015

William CheswickVisiting Scholar, U. Penn.

Computer Security: I think we can win!

2

of about 100

Introduction

• Some things that aren't working

• What I mean by winning

• Engineering goals

• How we might attain them?

• Who are you gonna call?

• Conclusion

3

of about 100

Bad signsThings Aren’t Working Well

4

of about 100

Massive data spills

• Credit cards

• TJX, Target, Home Depot, Chase, etc.

• Passwords

• Rockyou, Facebook, Twitter, Linkedin, Google, Adobe, SnapChatDB, EverNote, Stratfor, …

• Movies, email, etc. (Sony…)

• Major data spills all the time

• I have to check the morning news before I give these talks5

of about 100

Bad Signs

• A visit to grandma

• Virus checkers

6

of about 100

Wrong track: virus checkers

• Virus checkers

• Forget the halting problem (solution: ^C)

• Like running background checks on homeless people living in your bedroom

• StackGuard and similar technologies

• hobo-resistant rugs and furnishings

• Don’t get me wrong: we need these, for now.

7

of about 100

Not working: checklists and audits

• Checklists certainly will catch oversights, but you are not secure when you are done

• PCI audits have missed major, embarrassing intrusions.

• Alas, these are often the response to our endemic problems.

8

of about 100

Not Working: Best current practices

• Perhaps gives legal cover

• Can we actually even do any better?

• Effective solutions seem to be too invasive, too intense

• not good for business

9

of about 100

Not working: Laws, General and Specific

• General: nice guidelines, but exactly how much protection does HIPAA demand

• Specific: see ChecklistsI, above

• Liability: who will be left to write any software if you demand full liability?

10

of about 100

Not working: Things we ask users to do

• Don’t click on attachments, especially of unknown origin.

• Pick an unmemorable password for each of dozens of sites, and don’t write them down.

• Remember our particular password rules

• Don’t go to bad URLS, e.g. micros0ft.com

11

of about 100

Not working: user education

• They don’t (can’t!) understand the complexities of the computer and making the right decisions.

• Even the experts generally lack all the information needed to make the fully-informed choice.

• Even if you do know what you are doing, we all use computers when a little tired sometimes.

12

of about 100

Not working: strong passwords

• Forty years of research and experience show that people can not select and remember a passphrase that is resistant to a full-blown dictionary attack; and especially not different ones for dozens of different sites.

• More poor engineering: it just doesn’t work by itself, and isn’t needed when used with the right authentication tools.

13

of about 100

Not working: PKI

• The trusted CA list is way out of hand

• Major attacks find ways around this. Stuxnet, others.

• Try CertPatrol on Firefox to see what is going on

• (Actually, this is a cesspool. Certificate Transparency or similar efforts?)

14

of about 100

Not working: perimeter security and firewalls

• 100,000 hosts is too many to protect

• 40 is about right, for me

• Typical company has 1—2 IP addresses per employee, as of 2006

• in one case: 5,000 firewalls, with 5,000 rules each?!

• Firewalls: low grade security. Perimeter defenses are easily penetrated, and that is probably not going to improve much.

15

of about 100

Not working: back doors for maintenance

• sendmail in the 1980s

• Passwords into network devices, printers, etc.

• Intel’s SMM, for starters

• Ask your telco folks about widely-known passwords

16

of about 100

Failed sandboxes/OSes

• Java - supposed to fix all this in the 1990s

• defeated by native methods

• Operating systems: fighting malicious users since the 1960s

• Many of the lessons have been ignored

17

of about 100

Not working: legacy problems and software

18

of about 100

The tyranny of legacy systems

• We can’t rewrite this, it’s our whole business, and our customers rely on it and want enhancements.

• (this started as a good system)

• Case in point: Cisco IOS. You can name a bunch more.

• Successes….

19

of about 100

What is the current state of affairs? Lousy!

• Spies are all in our business

• Huge advantage to the attackers

• Crappy client operating systems

• leaky sandboxes

• feature-driven forces poor security choices

• A visit to grandma's house

20

of about 100

Apparently, governments aren’t doing too well, either• Numerous attacks on .mil

• Citizen hackers

• Insiders: Snowden, Assange, etc.

21

of about 100

Stuxnet and Snowden: a peek at the spooks

• Stuxnet: I never dreamed we would learn about it

• Lots of careful, hard work, but mistakes happen

• No real technical surprises: just a lot of hard work

• The spooks have the same problems we do:

• USB sticks, excessive monitoring is counter-productive

• Intellink: Maintaining enclaves

22

of about 100

The dog that hasn’t barked

• NSA might be best funded, but certainly isn’t the only group with similar capabilities.

• There are disincentives to publicize most break-ins

• Evil thoughts: email monitoring can yield M&A information, blackmail. For congressman, blackmail big time, esp. phone records.

23

of about 100

Sick and Tired

• APT are not Advanced, but certainly Persistent and Threats

• Most of the attacks are on the same kinds of weaknesses: we are not making much progress

• Consarn it, I am becoming an old timer!

24

of about 100

Things are going to get better

25

of about 100

Why?

• It is early in the game

• We haven’t been trying very hard (!)

• We can spend a lot on generating, testing, and verifying software, then distribute it for free and have strong assurances that we got what we we supposed to

• They are our computers, our software, and our networks. This home-field advantage should be very daunting for attackers.

26

of about 100

It’s Early in the game

27

of about 100

The car metaphor

• I didn’t like it: apples and oranges

• Now I do: grapes and raisins

• Consider the Ford Model T:

28

of about 100

Ford Model T (1913)

• 20 hp

• ran on gasoline, kerosine, and ethanol

• rear wheel drive

• two speeds, plus reverse

29

of about 100

Ford Model T (1913, cont.)

• grey, green, blue, and red

• 1909–1913; Not black!

• 1913 model (shown) was $550

• four months pay for an assembly line worker.

• Now, with Electric start!

• Modern UI was at least three years away

30

of about 10031

of about 10032

of about 100

Some old-timey auto stuff

• Fading terms: choke, “flood the engine”, vapor lock, double-clutch

• friction point

• My mother had a car you had to back up steep hills because there wasn’t a fuel pump

• First seat belts (two-point) common in mid-1960s

• “Safety third” —-Mike Rowe33

of about 10034

of about 100

It’s not the driver’s fault if the engine catches fire

• This is an engineering problem.

• We don’t accept most company claims that it is the driver’s fault.

• “Sudden accelleration events” do seem to involve the driver hitting the wrong peddle.

• Poor design killed John Denver

35

of about 100

You don’t have to be a mechanic to drive your car, and you shouldn’t have to be a

security expert to use your computer safely.

36

of about 100

Long view: it is still early in the computer revolution• I know, I know, we aren’t talking UNIVAC or “minicomputers”

any more.

• Moore’s law has gone a very long way.

• The order of things: make it work, then worry about security: (It Works!)

• rlogin, NFS, X windows, MSFT before 2001.

• But look where we are in UIs: I thought we might get stuck with MSFT menus, like the QWERTY keyboard

37

of about 100

Still early in the computing game: terminal or desktop?• Mainframes (Roosevelt)

• Timesharing (Kennedy)

• Minicomputers (Kennedy)

• Workstations (Reagan)

• Client/server

• X terminals and Plan 9 (Reagan)

• Palmtop (Clinton)

• Cloud computing (Bush 43)38

of about 100

UI?

• Tired of listing them, but pinching/tapping/sliding is only about 10 years old

• Microsoft is migrating away from their awful drop down menus!

• Good UIs are part of the solution

39

of about 100

What do I mean by “winning”

40

of about 100

This is going to get better

• I love living in the future

• Velcro, 12-hour nasal spray, surgical “lasers”, routine rockets to LEO, astonishing computers

• Sick and tired of computer and network security problems

• Hacked for CPU seconds!

• Already a lot of good security work done

• Time sharing, Multics

• Spooks

41

of about 100

What Does Winning Look Like?

• Locks in London

• Spiral dives and the artificial horizon

• Vaccines: Rinderpest, Smallpox(?), Polio(?)

• Hotel room doors

• Analog phone cloning

• ATM cards

• Automobile keys42

of about 100

What winning looks like

• You must be present to win.

• No more need for training about clicking on bad things

• More non-IT time with grandma.

43

of about 100

I think we can win

• Meaning build an affordable computing platform that can’t be compromised by any user error not involving a screw driver

• Its our hardware, our software, and our network connection. We ought to be able to control it, dammit!

• Winning doesn’t mean that your machine can’t misbehave on the Internet

44

of about 100

Winning Doesn’t Mean It’s Perfect

• It never does: there is no such thing

• Winning means good enough

45

of about 100

Actually, it is already getting better

• Mellissa? Blaster? Weak network services seem to be hard to find.

• Software “annealing” and sendmail(8)

• It’s not so much about script kiddies any more.

46

of about 100

Some Engineering Specifications Needed for Winning• A rock-solid client (Windows OK?)

• Hardware worth of our trust

• Usable crypto

• Reasonable expectations of the results

47

of about 100

Design goals for Grandma’s computer

• There’s nothing she can type, tap, swipe, or click on that will change the software she is running, or change her trusted computing base.

• There is nothing a remote attacker can do to her computer without having physical access to the hardware. And maybe even that is hard work.

48

of about 100

To me, this means…

• Static, signed trusted software, possibly not upgradable(!)

• A rock-solid, proven sandbox that we can run alien software in, particularly HTML5, Java, and Javascript.

• Alien software can be ably and reliably contained and run in a sandbox that preserves all of the above guarantees.

• The software she runs can be reliably ascribed to a particular vendor, and that vendor can be confident enough to be willing to assume significant liability for misbehavior of that software.

49

of about 100

Design goals for Grandma’s computer (cont.)

• Grandma has clear indications when she is surfing the web off of well-defined paths on the Internet.

50

of about 100

We have an old-fashioned name for this kind of software• It is called an “operating system,” and back in the Nixon

era, we were designing them with these properties in mind.

• Rapid growth, market forces (that’s you), vast legacy OS designs that missed the point (VMS -> Windows -> Windows NT -> …)

• It appears that a vast army of volunteer programmers is not capable of making small, simple, clean designs.

51

of about 100

A solution for 70% of the client machines?

• Grandma

• Employees

• Students

• Troops? (MIL-spec for all!)

52

of about 100 of about 106

A note on Grandma

53

of about 100

Purchasers

• Ask for/insist on reliable machines for your 70%

• Replace legacy stuff with easily-upgraded stuff, when possible

• Assume you are being watched: what would that look like?

• Go check.

54

of about 100

Target users for this computer

• Grandmas, for large values of grandma

• Most employees and regular computer users

• Most military clients. Grandma could run Milspec.

• Maybe 70% of the market?

• Not gamers.

55

of about 100

Hardware worth our trust

56

of about 100

“Security people are paid to think bad thoughts”

• — Bob Morris

57

of about 100

Security paranoia

• We live in a dark world.

• A lot of thoughts are dismissed as “theoretical”

• But they end up showing up, eventually.

• Here are some examples

58

of about 100

Intel’s SMM mode: lurking insecurity

• Been around since the Intel 386. A separate, protected “maintenance mode”.

• It has always worried me.

• A major player in the the list of specific attacks mentioned in the Snowden releases.

• The star of several security papers.

59

of about 100

Pentium complexity

• Rings 3 and 0

• System Management Mode*

• Virtual machine interface

• Microcode?!

• How bad can a compromised CPU be?

60

* Duflot, Loïc, Daniel Etiemble, and Olivier Grumelard. Using CPU system management mode to circumvent operating system security functions. CanSecWest/core06 (2006). http://cs.usfca.edu/~cruse/cs630f06/duflot.pdf

of about 100

Usable crypto

61

of about 100

Usable, trustable crypto

• Johnny still can’t encrypt

• Cryptology is the really hard part

• I think society needs to make a firm choice, and make the spooks follow.

• We still can’t prove a crypto protocol secure

• “Crypto is a field of endeavor where we hope there won’t be progress.” —-Matt Blaze

62

of about 100

Reasonable expectations

• People will always be able to fool some of the people

• Don’t forget the three B’s: burglary, bribery, and blackmail.

• Any public service can be hit with denial-of-service attacks

• Attribute is going to continue to be a problem, because the Internet connects to all the bad neighborhoods.

63

Lessons, and things that worry me

64

of about 100

Better than passwords

• Both are much better than passwords

• SNK-004 used symmetric key, known only to device and server

• PIN known only to device

• SecurID’s key known to device, server, RSA

• SNK was an ε better

65

of about 100

ε had a large value

• RSA break-in caused major attacks on a government contractor and others

• RSA had to reissue fobs

• All of this was because they relied on a (successful) business model that had a security weakness.

• RSA is not a slouch in the security business.

66

of about 100

“The best is the enemy of the good”

• A call for mediocrity in the name of getting something done.

• Don’t flatter yourself that your efforts are “good”.

• Also, from Soul of a New Machine, “Not all jobs are worth doing right.”

• This leads to…

67

of about 100

Aspects of Virtual Machines worry me

• The kernel/hardware interface is not a natural security perimeter

• The trusted kernel (DOM0) is generally huge

• Co-resident VMs may leak data, and there are papers demonstrating this

68

of about 100

Aspects of Virtual Machines worry me (cont)

• It seems very hard or impossible to hide the VM’s activities from the supplier

• Homomorphic encryption is a rat-hole:

• never efficient if even possible

• opens algorithms to a whole new field of attacks similar to traffic analysis

• The virus guys are already doing this, a bit.

69

of about 100

Cloud computing

• Clearly there is a use for bulk computing

• Netflix is the best example: high volume, low security

• Security is going to remain an issue

• See VMs (above)

70

of about 100

Shared libraries seem like a bad security idea

• You can change a program after it is installed

• A checksum of a binary does not ensure that it is the same program

• Makes installation in chroot(8) environment more difficult, and requires extra crap in that envinroment.

71

of about 100

Not working: shared and dynamic libraries

• “sshd day zero bug” in 2013 was shared library replacement attack.

• Long history of similar attacks

• implemented to save memory and load time back in the days of small memory and the X window system

• not worth it

• Make all your binaries static!

• Ditto DLLs

72

of about 100

New car troubles: we aren’t learning

• Note: cars now need the second kind of firewall

• Attacks on the CANBUS (It Works!)

• attacks through Bluetooth, evil mp3 files, etc.

• web search for “CANBUS security”

• Tiffany Rad

• Here we go again

73

of about 100

Long upgrade chains

• Linus -> ….

• -> ubuntu/redhat/… -> ….

• -> raspberry Pi

• -> DSL modems, routers, printers, wireless base stations

• -> onboard aircraft entertainment systems

• -> travel information displays in airports, subways, etc.

• -> thermostats, refrigerators, etc.74

of about 100

Long upgrade chains (cont.)

• Microsoft -> Windows n ->

• -> office workers

• -> utility machines

• -> FDA -> medical devices

• -> thermostats, refrigerators, etc.

75

of about 100

Upgrade chains (cont.)

• Some really ancient system running to dead operating systems modified by people who retired fifteen years ago ->

• -> that vital, irreplaceable controller on the factory floor that still has fifteen years left on its depreciation schedule

76

of about 100

Good news, everyone!

• Apple pretty much got out of this business.

• Upgrades are very easy and widespread

• They had to rewrite their operating system for the Mac around 1999

• iOS had some great security ideas built in, perhaps the most important:

• an app can’t mess with another app’s stuff

77

of about 100

Layers are good

78

of about 100

Some crappy layers

• Your firewalls to the Internet

• Your employees

• Whatever special arrangements your CEO might have in place

• Any Microsoft operating system

• Your physical security

79

of about 100

Who are you gonna call?

80

of about 100

Who Are You Gonna Call?

• Hyper-careful industrialists

• Dean Kamen (insulin pumps, wheelchairs)

• Elon Musk (rockets, cars)

81

of about 100

Government policies

• Mandate “no back doors”

• Allow/encourage data sharing about attacks

• buy safer computers

82

of about 100

Microsoft?

• They certainly turned around in 2001

• Vista and Win7 appear to be vastly more secure than Windows XP

• This was a huge job. I don’t know how much of the legacy problem they solved.

83

of about 100

Windows OK

• There is nothing you can click, tap, or say that will corrupt your computer.

• It should be intuitively obvious when you are not visiting a Fortune 500 web site, or a place you have never searched before.

• Offers standard services

• It could meet the specs for this dream system.

84

of about 100

Do we have this already?

• Jeff Jones (MSFT) said Win 7 was much safer than corresponding Linux

• Maybe Win 8, too

• Seems like an awfully large hunk of software to declare victory, and maybe they haven’t.

85

of about 100

Apple?

• Macintosh redesigned in late 1990s, on FreeBSD

• Vastly improved, big market success. Does have legacy software that lagged for a while.

86

of about 100

Maybe iOS...

• Certainly Apple tried hard to design security into iOS, and they had a fresh start, sort of

• App isolation and app walled garden were key security goals.

• How can we tell? Measure security…

87

of about 100

iPhone authentication

• The iPhone looks like a nearly ideal solution

• It is nearly always with us

• It has enough CPU power for strong crypto

• Various sensors are suitable for biometric identification and authentication

• Location information is readily available

• It seems to be somewhat resistant to attacks.88

of about 100

Apple security?

89

of about 100

Apple security?

• I love these devices, so I learned Rejective C and usually follow their UI advice slavishly.

• NextStep is from the late 1980s, which is okay in itself, but

• retain count stuff went away (mostly) only a couple years ago when ARC came

• It’s not just my software that crashes

90

of about 100

Apple security?

• I don’t see how anyone can have confidence that their non-trivial program is correct in this system.

• AND…they get jailbroken as soon as there is a new release. This is not a good sign.

• My best bet for the most secure clients at the moment, but it is scary

91

of about 100

This just in about Apple

• Forensics experts tell me it is getting harder and harder to jailbreak new Apple iOS releases

• Annealing in action

• A good sign

• But: hackers report secret protocol options and perhaps back doors.

92

of about 100

Google

• A lot of efforts in important areas, with security on their mind:

• Android

• Chrome

• Chromium

• and go (a nice language)

93

of about 100

Android

• Android is the regular and systematic target of security research papers, probably because it is much more accessible than iOS.

• As for the apps: “the problem with folk songs is that they are written by the people.” — Tom Lehrer

• It is also the basis for some brand new attempts at secure clients, like Boeing Black.

94

of about 100

Other players

• Any of these companies could start over, and maybe some should

• A basic operating system has approximately a $0 billion startup cost.

95

of about 100

Academic and other research groups

• Small teams have produced very interesting operating systems, and I bet small is going to be an important part of the answer. Some examples:

• Plan 9, Minix 3

• Peter Neumann, DARPA CRASH program: clean slate redesign from hardware on up.

• The military has a strong interest in this, and even in disseminating the solution

• c.f. Linux SE96

of about 100

I think we can win

• It is our hardware, and our software

• There is no law of physics that says this can’t be done, and

• We have engineered reliable systems out of unreliable parts before.

• We have the home-field advantage

• Correct software can be implemented, if we are very careful

97

of about 100

I won’t live to see all this happen

• And there will still be plenty of security problems

• You can always fool people somehow

• And every public service can be flooded by the public (DDoS)

98

William CheswickVisiting Scholar, U. Penn.

Computer Security: I think we can win!

99