The Enemy Has Surrounded the Castle—Is It Time to Develop a Plan?
Dr Charles P Pfleeger [email protected]
04/18/23 The Enemy is at the Gates 2
The Enemy at the Gates
Status of the security field todayProgress of the last three decadesPrognosis for the futureA planConclusions
© 2003 Charles P Pfleeger
04/18/23 The Enemy is at the Gates 3
Information Security Today
InfrastructureSystemsApplicationsPeopleUsers
04/18/23 The Enemy is at the Gates 4
Critical Internet Threats
SANS Institute:1. BIND/DNS weakness, root compromise2. Vulnerable CGI programs3. RPC weakness, root compromise4. RDS flaw MS Internet Info Server (IIS)5. Sendmail and MIME buffer overflows6. Sadmind and mountd buffer overflows7. Global file sharing vulnerabilities in NT, Unix
NFS, and Macintosh Web sharing8. UserIDs with weak (or no) passwords9. IMAP and POP buffer overflows10. Default SNMP community strings unencrypted,
weak
04/18/23 The Enemy is at the Gates 5
Common Themes
Buffer overflows and other coding errors
Insecure initial configuration, defaults, and administration
Privilege compromiseProtocol weaknesses
04/18/23 The Enemy is at the Gates 6
Malicious Code Events approx 1983: first virus
today, one anti-virus tool manufacturer reports protection against over 50,000 strains
1987: C. Stoll’s attacker in The Cuckoo’s Egg 1988: Morris worm 1992+: Kevin Mitnick 1994: first Microsoft Word virus late 1990s: web site defacements
New York Times, H-P, Compaq, Alta Vista, eBay, Int’l Girl Scouts, …
2001: Code Red, NIMDA 2002: Melissa, ILoveYou 2003: Slammer, sobig.f
04/18/23 The Enemy is at the Gates 7
Code Red Virus 19 June 2001: initial flaw
report; patch posted a few days later
13 July 2001: initial attack; slow spread for first few days
Estimated effect: 750,000 servers affected 12.5% of servers
worldwide 400,000 after 1 Aug
2001 >$2 billion US to clean
up
At least four variants Structured buffer
overflow in Microsoft IIS
Components: web site defacement Trojan horse for later
control distributed denial of
service
04/18/23 The Enemy is at the Gates 8
NIMDA, Melissa, Slammer, …
Standard attack componentsCompromise mechanismPropagation mechanismPayload
Massive effectLarge number of affected systemsWidespread infectionMuch wailing and gnashing of teethPublic attention/concern short
04/18/23 The Enemy is at the Gates 9
IIS 4.0 Security Patch History
14 May 2001 Windows NT4 Security Patch: Superfluous decoding operation could allow command execution via IIS
29 Jan 2001 Windows NT4 IIS4 Security Patch: File Fragment Reading via .HTR Vulnerability
21 Dec 2000 Windows NT 4.0 Security Patch: Malformed Web Form Submission Vulnerability
20 Nov 2000 Windows NT 4.0 IIS4 Security Patch: Web Server File Request Parsing Vulnerability
2 Nov 2000 Windows NT 4.0 IIS4 Security Patch: IIS Cross-Site Scripting Vulnerability
23 Oct 2000 Windows NT 4.0 IIS4 Security Patch: Session ID Cookie Marking Vulnerability
24 Aug 2000 Windows NT 4.0 IIS4 Security Patch: Cross-Site Scripting Vulnerability
13 Jul 2000 Windows NT 4.0 IIS4 Security Patch: Absent Directory Browser Argument Vulnerability
11 May 2000 Windows NT4.0 Internet Information Server 4 (IIS4) Security Patch: Malformed Extension Data in URL
10 May 2000 Windows 2000 IIS4 Security Patch: Undelimited .HTR Request and File Fragment Reading via .HTR
11 Apr 2000 Internet Information Server 4.0 (IIS4) Security Patch: Myriad Escaped Characters Vulnerability
20 Mar 2000 Internet Information Server (IIS) 4 Security Patch 4.2.739.1: Chunked Encoding Post Vulnerability
24 Feb 2000 Internet Information Server 4.0 (IIS4) Security Patch: Virtualized UNC Share Vulnerability (Intel)
20 Jan 2000 Internet Information Server (IIS) and Client Web Capacity Analysis Tool 4.35
7 Dec 1999 Internet Information Server 4.0 (IIS4) and Site Server 3.0 Security Patch: Virtual Directory Naming
6 Dec 1999 Internet Information Server (IIS) Security Patch 4.2.732.1: Escape Character Parsing Vulnerability
18 Jun 2001 MS01-33 Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
04/18/23 The Enemy is at the Gates 10
Common Themes
Numerous security patches—”penetrate and patch” returns
Patching, administration, maintenance moved to end user
Defender needs complete protection; attacker needs only one vulnerability
Fragile community, infrastructure: devastated by simple attack
04/18/23 The Enemy is at the Gates 11
What Do Users Expect?
Functionality, Functionality,
Functionality More, better,
faster, sexier Security Implemented by
“fairy dust” For free
04/18/23 The Enemy is at the Gates 12
What Do Users Get?
System crashes— no apparent cause, seemingly random times
Vulnerability patches of unknown content
Few choices
04/18/23 The Enemy is at the Gates 13
Last Three Decades’ Progress
Milestones in information securityProgress
04/18/23 The Enemy is at the Gates 14
Information Security Papers 1969-W. Ware and 1972-J. Anderson panels:
need an organized approach to security 1975-J. Saltzer and M. Schroeder: secure
system design principles 1979-R. Morris and K. Thompson: password
security case study 1984-K. Thompson: potential effect of an
embedded Trojan horse 1989-S. Crocker and M. Bernstein: ARPA-
DARPA-Internet disaster causes(references at end)
04/18/23 The Enemy is at the Gates 15
Results: New Ideas
Operating systemsMultics, KVM, PSOS, KSOS, SE-VMS,
SCOMPUnix (and Linux)Windows NT/2K, 98/ME/XP
NetworksVerdix LAN, Boeing SNSTCP/IP, Novell IPv6 with security features… still in the
future
04/18/23 The Enemy is at the Gates 16
Results: Old Ideas
Firewalls Implementation of “reference monitor”
concept of 1972Virus scanners
based on 1970s pattern matching reseach
VPNsan outgrowth of military cryptography
Intrusion detection systemsbased on 1985 research
04/18/23 The Enemy is at the Gates 17
Evaluation: User’s and Trust
Criteria: US (‘83), Canada (‘87), UK (‘89), Germany (‘89), ITSEC (‘91), US Federal Criteria (‘93), Common Criteria (‘94)
Status Scheme with mutual recognition Dozens of evaluated products US (military) encouragement
Evaluation limited: scope, time, depth Not a major market differentiator
04/18/23 The Enemy is at the Gates 18
Who is Ahead? 50,000 virus and
malicious code strains >600 million Internet
users (not all of whom are malicious)
<10,000 certified information security professionals--SANS GIACs and CISSPs (plus many professionals who are not certified)
US$6.7 billion worldwide market for security services; growing to US$21 billion by 2005
04/18/23 The Enemy is at the Gates 19
Today’s Key Problems
Buffer overflow Interface failuresPasswordsTime-of-check to time-of-useUnintended side effectsHard to understand controlsUser awareness, understandingAll problems from 1970s
04/18/23 The Enemy is at the Gates 20
Frank Assessment Flaws and flawed
products are increasing faster than the security community
Attacks and attackers are getting nastier
We [the good folks] are slipping farther and farther behind
Spending for security and security research is increasing far more slowly than the threat
04/18/23 The Enemy is at the Gates 21
Research: Who Funds What
Company: products and technologies Firewalls, PKI solutions, IDSs, authentication
devices, etc.
Consortium: members’ interests Protocols (IPv6, LDAP), standards (CORBA), APIs
(crypto, access)
Foundation: public interest Ethics, privacy (ACLU, recording industry)
Government: long-term, conceptual Technology (Internet, formal methods), Problem-
solving (secure OS)
04/18/23 The Enemy is at the Gates 22
Research Needs Self defense Domain
confinement Trust, assurance Software “plug
and play” Software fault
tolerance Identity
management Patch approach
04/18/23 The Enemy is at the Gates 23
Self Defense
ProblemPatches, mobile code, distributed
applications, client-side functionalityUnknown origin, quality, action
Known approachesSigningConfinement
04/18/23 The Enemy is at the Gates 24
Domain Confinement
ProblemLimiting harmful effects of untrustworthy
code
Known approachesSandbox (Java)—softwareHardware-enforced separationDomain type enforcement
04/18/23 The Enemy is at the Gates 25
Trust, Assurance
ProblemBasis for trust between unknown partiesMetrics for trust and assuranceAlgebra of trust: good + very good = ?
Known approachesEvaluation schemesTestingE-mail: PGP vs PKIScreening (firewall), trial period
04/18/23 The Enemy is at the Gates 26
Software “Plug And Play”
ProblemLittle “genetic diversity,” component
substitutionDesire to substitute high assurance
component for factory default
Known approachesSoftware engineering, modularity, APIsReverse engineering
04/18/23 The Enemy is at the Gates 27
Software Fault Tolerance
ProblemOversights (buffer overflows) undetectedFailures produce catastrophic results;
software does not detect and protect (isolate, recover)
Known approachesSoftware engineering: reviews, testingTraining: trustworthy computing initiativeHard to do for system composed of many
parts
04/18/23 The Enemy is at the Gates 28
Identity Management
ProblemContinuous I&A for distributed systemApplication-level authenticationBasis for authentication of previously
unknown partiesProcess acting on behalf of individualUsers want “single sign on”
Known approachesLocal I&A, remote authentication (one-
time), encrypted channels
04/18/23 The Enemy is at the Gates 29
Patch Approach
ProblemNever-ending check for patchesPatching can introduce errors, break
other code (“If it works don’t fix it”)Responsibility on naïve end-user
Known approachesTelephoneAutomatic update
04/18/23 The Enemy is at the Gates 30
Problems with Research
Research is hardEasier to find one flaw than prevent all
Results are not easily acceptedEase of useCost of securityLittle user demandTime-to-market
04/18/23 The Enemy is at the Gates 31
From Earth to Moon US/USSR space race International priority Large investment Attracted bright,
dedicated people Interdisciplinary Some setbacks, but
many, very visible successes; spin-offs
Some national defense value but much non-military
Not essential to world
04/18/23 The Enemy is at the Gates 32
Conclusions
Rich history of research results
Much of best work done in ’70s-’80s
Interesting challenges
International problem
Money needed, but comparatively little
04/18/23 The Enemy is at the Gates 34
References Anderson, J., “Computer Security Technology Planning
Study,” U.S. Air Force Elect. Sys. Div. Tech. Rpt. 73-51, Oct 1972; also http://csrc.nist.gov/publications/history/ande72.pdf
Crocker, S. and Bernstein, M., “ARPANET Disruptions: Insight into Future Catastrophes,” TIS Report #247, TIS Labs at Network Associates, 24 Aug 1989. No URL
Morris, R. and Thompson, K., “Password Security: A Case History,” Comm. of the ACM, Nov 1979.
Saltzer, J. and Schroeder, M, “Protection of Information in Computer Systems,” Proc. of the IEEE, Sept 1975.
Thompson, K., “Reflections on Trusting Trust,” Comm.. of the ACM, Aug 1984.
Ware, W., “Security Controls for Computer Systems,” Rand Corp. Tech. Rpt. R-609-1, 1970 (reissued 1979); also http://www.rand.org/publications/R/R609.1/R609.1.html