Are the system security watchmen asleep
Download
1 / 38

Are the System Security Watchmen Asleep - PowerPoint PPT Presentation


  • 157 Views
  • Updated On :

Are the System Security Watchmen Asleep?. ICIW 2008 University of Nebraska Omaha April 24, 2008. Dr. Roger R. Schell [email protected] Overview. Executives often clueless about security They rely on professionals to be their “watchmen” “Acceptable risk” based on gross misperception

Related searches for Are the System Security Watchmen Asleep

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Are the System Security Watchmen Asleep ' - Mercy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Are the system security watchmen asleep l.jpg

Are the System Security Watchmen Asleep?

ICIW 2008

University of Nebraska Omaha

April 24, 2008

Dr. Roger R. Schell

[email protected]


Overview l.jpg
Overview

  • Executives often clueless about security

    • They rely on professionals to be their “watchmen”

    • “Acceptable risk” based on gross misperception

  • Serious failure by security professionals

    • Don’t warn of adversaries’ subversion attack tools

    • Don’t warn that current solutions are highly ineffective

  • “Watchmen” responsible for likely disasters

    • “Blood on the hands” of those not sounding alarm

  • Time to sound alarm -- need radical change

    • Proven verifiable protection is available, but languishes


Air gap between domains is secure but crippling l.jpg
Air Gap Between Domains Is Secure– But Crippling …

OSINT

GWAN

(IWS)

Site

Ops Net

NSANET

(IWS)

JWICS

(IWS)

READOUT

Multi-Net

(IWS)

SIPRNET

JWICS VTC

“Lack of multilevel security (MLS) not only slows information sharing but often prevents it altogether“ - Congressional Report on 9/11


Misguided management response l.jpg
Misguided Management Response

  • Accredit & deploy low assurance platforms

    • SE Linux

    • Virtual Machine Monitor, e.g., NetTop

    • Trusted Solaris

    • DODIIS Trusted Workstation (DTW)

    • “Guards” and filters, e.g., Radiant Mercury, ISSE

  • Ignore that low assurance is unevaluatable

    • Technology can only assure finding “obvious flaws”

    • Attackers rule, disasters are likely

  • Exacerbate risks with plans to get well

    • Reliance on “added on” security makes things worse


Outline watchmen sound the alarm l.jpg
Outline:Watchmen – Sound the Alarm

  • Subversion threat is serious and growing

  • Unconscionable use of overly weak solution

  • Verifiable protection technology languishes


Cross domain solution cds uninformed executive perception l.jpg
Cross-Domain Solution (CDS)(Uninformed Executive Perception)

Cross Domain

Solution (CDS)

Operating

System

High

Network

Domain

ExecutivePerceptionof current CDSs:

Controlled sharing

(Believes CDS prevents high information from flowing down)

Low

Network

Domain


Challenge is cds connectivity a theorem from science l.jpg
Challenge is CDS Connectivity(A “theorem” from science)

Computer Security Intermediate-Value Theorem

(Dr. David Bell, 2006:http://www.acsac.org/2005/papers/Bell.pdf)

Connection of disparate domains is multilevel

Corporate or Government High Networks Domain

Low Networks or Internet Domain


Cyber warfare subversion likely l.jpg
Cyber Warfare Subversion Likely

  • Tiger Teams: subversion is tool of choice

    • http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jan-feb/schell.html

    • http://www.acsac.org/2002/papers/classic-multics.pdf

  • Adversaries can use 30 + years experience

    • The threat has only increased with time

    • Trojan horses – application subversion

      • Thousands in products, e.g., viruses and “Easter Eggs”

    • Trap doors – infrastructure subversion

      • Root kits, malware

  • Buy IT solution from your mortal enemy?

    • Better figure out how, because likely you are

    • Software of uncertain pedigree


Trojan horse attack malicious code in use of cds l.jpg
Trojan Horse Attack: Malicious code in use of CDS

  • Hidden functionality in application & CDS

    • Adversary usually outsider (stranger to victim)

    • Can be surreptitiously distributed

  • Application user is unwitting agent

    • Requires victim (user) to execute application

    • Constrained by system security controls on victim

    • Exploitation undetected & controlled by remote design

  • Current networks’ open vast opportunity

    • Testing & review to detect is futile and delusional

    • Little mitigation in applications and most CDS systems


Trojan horse attack cross domain solution cds l.jpg
Trojan Horse Attack:Cross-Domain Solution (CDS)

Cross Domain

Solution (CDS)

Operating

System

High

Network

Domain

Determined adversary understanding ofrealityof current CDSs:

Trojan horses exfiltrate data

(Substantial high data leakage to low domain)

Low

Network

Domain


Trap door attack subversion of infrastructure l.jpg
Trap Door Attack: Subversion of Infrastructure

  • Malicious code in platform

    • Software, e.g., operating system, drivers, tools

    • Hardware/firmware, e.g., BIOS in PROM

    • Artifice can be embedded any time during lifecycle

    • Adversary chooses time of activation

  • Can be remotely activated/deactivated

    • Unique “key” or trigger known only to attacker

    • Needs no (even unwitting) victim use or cooperation

  • Efficacy and Effectiveness Demonstrated

    • Exploitable by malicious applications, e.g., Trojans

    • Long-term, high potential future benefit to adversary

    • Testing not at all a practical way to detect


Trap door attack cross domain solution cds l.jpg
Trap Door Attack:Cross-Domain Solution (CDS)

Cross Domain

Solution (CDS)

Operating

System

High

Network

Domain

Determined adversary understanding ofrealityof current CDSs:

Trap door gives low attacker access to data

(Low has repeated, undetected access to high information)

Low

Network

Domain


Summary of subversion process l.jpg
Summary of Subversion Process

  • Step #1 – infrastructure subversion

    • Integral to installed software, e.g. trap door

    • Added to software suite during lifecycle, e.g., viruses

    • Big attraction: easy to avoid being apprehended

      • Perpetrator not present at time of attack

  • Step #2 – execution of artifice software

    • Can activate by unique “key” or trigger

    • NPS demo, 12 lines of code (LOC) subverts Linux NFS

  • Step #3 – (optional) “two card loader”

    • Bootstrap small toehold for diverse customized attacks

    • NPS demo with 6 LOC to subvert XP and then IPSEC

  • Step #4 – access unauthorized domain data


Cds subversion vulnerability l.jpg
CDS Subversion Vulnerability

Loss of Integrity

Loss of Secrecy

*

Computer Security Intermediate-Value Theorem:

Connection of disparate domains is multilevel

* CDSs not verifiably multilevel secure (MLS)

Corporate or Government High Networks Domain

Low Networks or Internet Domain


Outline watchmen sound the alarm15 l.jpg
Outline:Watchmen – Sound the Alarm

  • Subversion threat is serious and growing

    • Low cost, low risk to attacker, virtually undetectable

    • Highly effective, extensible, e.g., “two card loader”

  • Unconscionable use of overly weak solution

  • Verifiable protection technology languishes


Weakest link is flawed solutions l.jpg
Weakest Link is Flawed Solutions

  • Single flawed interface exposes whole net

    • “Defense in depth” as used is myth: ignores subversion

    • Plethora of “band aid” solutions, e.g., firewall, IDS, …

    • Low assurance CDSs, e.g., guards invite disaster

    • Like WW II crypto use sent thousands to watery grave

  • “Secure application” is non-computable

    • Determining it is multilevel secure (MLS) is impossible

    • Common practice and policy cannot change science

    • Equivalent to stream of “perpetual motion” patents


Secure pixie dust components l.jpg
“Secure” Pixie Dust Components

  • Vested interest research “sand boxes”

    • Saps funds and attention with little accountability

    • Implied accreditation shortcut inhibit warnings

    • Subsidized contribution drive out system solutions

  • Hard problems for MLS systems remain

    • Encryption “opiate of the naive” needs trusted control

    • No security hardware, e.g., TPM, composition defined

    • Virtualization hardware need high assurance monitor

    • Separation kernel needs reference monitor

    • Security from guard script language is non-computable

  • CDS can be no better than platform it is on


Flaws in system solutions missed l.jpg
Flaws in System Solutions Missed

  • False security from isolated components

  • Accreditors cannot responsibly judge flaws

    • Lack “approved” system security evaluation criteria

    • Unskilled in assessing methods to address subversion

  • Only a verifiably secure CDS is evaluatable

    • On verifiable trusted computing base (TCB) platform

    • Last coherent codification in TCSEC “Class A1”

    • System security must be designed in, not bolted on

    • Includes composition of “partitions” and “subsets”


Impact indications and warning l.jpg
Impact Indications and Warning

  • Vendor downloadable product subverted

    “Cracker gained user-level access to modify the download file. . . . you pray never happens, but it did.”

    – WordPress, reported on wordpress.org, March 2, 2007

  • Intrusion can replace traditional espionage

    “you can exfiltrate massive amounts of information electronically from the comfort of your own office.”

    – Joel Brenner, counterintelligence executive in CNN.com, October 19, 2007

  • SW subversion steals credit/debit card data

    “an ‘illicit and unauthorized computer program’ was secretly installed at every one of its 300-plus stores.”

    – Hannaford Bros. Co., reported on eWeek.com, March 28, 2008

  • Military recognition of subversion

    “vulnerabilities are introduced during manufacturing that an adversary can then exploit.”

    – Lt. Gen. Robert Elder, USAF, at Cyber Warfare Conference, April 2008


State of cyber warfare defense l.jpg
State of Cyber Warfare Defense

“Nearly thirty years ago, Roger Schell accurately predicted: systems not designed for the modern Internet threats, poorly implemented, forcing the installation of nearly daily security patches, and many millions of systems being compromised on an ongoing basis.”

Dave Safford, Manager, IBM Global Security Analysis Lab http://www.research.ibm.com/gsal/tcpa/why_tcpa.pdf


Outline watchmen sound the alarm21 l.jpg
Outline:Watchmen – Sound the Alarm

  • Subversion threat is serious and growing

    • Low cost, low risk to attacker, virtually undetectable

    • Highly effective, extensible, e.g., “two card loader”

  • Unconscionable use of overly weak solution

    • Current practice invites catastrophic mission impacts

    • Pixie dust of “secure” components gives false security

  • Verifiable protection technology languishes


Sharing data across disparate domains need mls l.jpg
Sharing Data AcrossDisparate Domains Need MLS

  • Any low connection => MLS

    • Must be Multi-LevelSecure (MLS)

    • Low/Medium assurance ineffective

      • No protection against subversion

      • Vulnerabilities unknown (unknowable)

  • Class A1 resists subversion

    • Is verifiably secure (high assurance)

    • Verifies absence of malicious code

    • Key enabler for CDS accreditation

Multi-Level

Secure

Connection

  • Isolation obstructs missions

    • Tactical situational awareness

    • Efficient utilization of resources

High

Network

Domain

Low

Network

Domain


Share but resist subversion l.jpg
Share but Resist Subversion

Adversary

plants trap door

or Trojan horse

Cross Domain

Solution (CDS)

Verifiably Secure

TCB

High

Network

Domain

Impossible

to find or Fix

“an arms race we cannot win”

– IBM VP at RSA, Apr 2008

TCB still prevents information from flowing down

Low

Network

Domain


Proven methods evaluated and deployed tcb l.jpg
Proven Methods Evaluated and Deployed TCB

  • Mature, proven trusted systems technology

    • TCSEC/TNI need not be used as organizational utterance for policy

Balanced assurance, composable subsets for systems


Verifiably secure class a1 eal7 l.jpg
Verifiably Secure: Class A1 / EAL7

Common

Criteria

TCSEC

NO VULNERABILITIES

A1

EAL7

EAL6

B3

UNKNOWN VULNERABILITIES

B2

EAL5

Beware of “No Man’s Land”

B1

EAL4

C2

EAL3

C1

EAL2

Only Class A1/EAL7 excludes malicious software


Proven solution security kernel l.jpg
Proven Solution: Security Kernel

Applications

Appliances

Security

Services

Verifiable

Security Kernel

Operating

System

Intel x.86

Hardware Platform

Disk

Network

Monitor/

Keyboard

Verifiably

Secure

Platform

“The only way we know . . . to build highly secure software systems of any practical interest is the kernel approach.”

-- ARPA Review Group, 1970s (Butler Lampson, Draper Prize recipient)

A computable solution to process simultaneously

a range of sensitive information


Illustrative mls demonstrations at uno on cots gtnp kernel l.jpg
Illustrative MLS Demonstrations,(at UNO on COTS GTNP Kernel)

  • Multilevel Secure Web Server

    • Browse down

    • Unhackable web resources

  • Multilevel FTP Server

  • Covert Communications Proxy


Multilevel web server demo l.jpg
Multilevel Web Server Demo

Browser

Browser

Multilevel Web

Server App

Verifiable TCB

(e.g., Class A1 GTNP)

High

Network

Domain

Low

Network

Domain

High integrity administration (and Web page authoring)


Illustrative mls demonstrations at uno on cots gtnp kernel29 l.jpg
Illustrative MLS Demonstrations,(at UNO on COTS GTNP Kernel)

  • Multilevel Secure Web Server

  • Multilevel FTP Server

    • High network users see high & low files

    • Low network users cannot see high files

  • Covert Communications Proxy


Multilevel ftp server demo l.jpg
Multilevel FTP Server Demo

Multilevel FTP

Server App

Verifiable TCB

(e.g., Class A1 GTNP)

Low

Network

Domain

High

Network

Domain


Illustrative mls demonstrations at uno on cots gtnp kernel31 l.jpg
Illustrative MLS Demonstrations,(at UNO on COTS GTNP Kernel)

  • Multilevel Secure Web Server

  • Multilevel FTP Server

  • Covert Communications Proxy

    • Low sources put files onto high servers


Covert comms proxy demo l.jpg
Covert Comms Proxy Demo

MLS Covert

Comms Proxy

Verifiable TCB

(e.g., Class A1 GTNP)

Low

Network

Domain

High

Network

Domain

File

Server


Mls demonstrations summary at uno on cots gtnp kernel l.jpg
MLS Demonstrations Summary (at UNO on COTS GTNP Kernel)

  • Multilevel Secure Web Server

    • Browse down

    • Unhackable web resources

  • Multilevel FTP Server

    • High network users see high & low files

    • Low network users cannot see high files

  • Covert Communications Proxy

    • Low sources put files onto high servers


Previously delivered mls solutions validated verifiable technology l.jpg
Previously Delivered MLS Solutions Validated Verifiable Technology

  • BLACKER – VPN (NSA product on GTNP)

  • HSRP – Pentagon MLS gateway (on GTNP)

  • CHOTS Guard – UK MOD system (on GTNP)

  • COTS Trusted Oracle 7 – (GTNP design)

  • SACLANT client/server (GTNP design)

  • AFFPB Crypto-seal guard (POC on GTNP)


Examples of more opportunities to apply verifiable technology l.jpg
Examples of More Opportunities to Apply Verifiable Technology

  • MLS Networked Windows (Thin Client)

  • MLS network attached storage (NAS)

  • Guards and filters

  • Real-time exec (e.g., SCADA appliances)

  • Verifiably secure MLS Linux, Unix, *ix

  • Identity mgt (PKI quality attribute)

  • MLS handheld network devices (PDA)


Cost benefit of evaluated protection capabilities l.jpg
Cost & Benefit of Evaluated Protection Capabilities Technology

Development & evaluation cost if was rated, e.g., Aesec’s Class A1 GTNP

Development & evaluation cost

for newverifiably secure product

C2

B1

B2

B3

A1

EAL7

EAL4

EAL5

EAL6

EAL3

Insurable, No Trap Doors; Immune to Trojan Horses

Resistant to Trojan horses

COSTS TO DEVELOP

BENEFIT TO USER

THREAT

TCSEC

Rating

C1

Common

Criteria

Assurance

EAL2

Best Commercial Practice


Conclusion watchmen sound the alarm l.jpg
Conclusion: TechnologyWatchmen – Sound the Alarm

  • Subversion threat is serious and growing

    • Low cost, low risk to attacker, virtually undetectable

    • Highly effective, extensible, e.g., “two card loader”

  • Unconscionable use of overly weak solution

    • Current practice invites catastrophic mission impacts

    • Pixie dust of “secure” components gives false security

  • Verifiable protection technology languishes

    • Government impedes proven COTS verifiable MLS

      • “Competition” from Government in funding experiments

      • Discrimination in evaluation, e.g., no “certificates”, no RAMP

    • Users fail to validate product hypothesis to vendors

      • Often uninformed/misinformed by security professionals


Are the system security watchmen asleep38 l.jpg

Are the System Security TechnologyWatchmen Asleep?

ICIW 2008

University of Nebraska Omaha

April 24, 2008

Dr. Roger R. Schell

[email protected]


ad