Are the System Security Watchmen Asleep - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Are the System Security Watchmen Asleep

Description:

Hidden functionality in application & CDS. Adversary usually ... to build highly secure software systems of any practical interest is the kernel approach. ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 39
Provided by: drroger
Category:

less

Transcript and Presenter's Notes

Title: Are the System Security Watchmen Asleep


1
Are the System Security Watchmen Asleep?
ICIW 2008 University of Nebraska Omaha April 24,
2008
Dr. Roger R. Schell Roger.Schell_at_aesec.com
2
Overview
  • Executives often clueless about security
  • They rely on professionals to be their watchmen
  • Acceptable risk based on gross misperception
  • Serious failure by security professionals
  • Dont warn of adversaries subversion attack
    tools
  • Dont warn that current solutions are highly
    ineffective
  • Watchmen responsible for likely disasters
  • Blood on the hands of those not sounding alarm
  • Time to sound alarm -- need radical change
  • Proven verifiable protection is available, but
    languishes

3
Air Gap Between Domains Is Secure But Crippling

Lack of multilevel security (MLS) not only slows
information sharing but often prevents it
altogether -
Congressional Report on 9/11
4
Misguided Management Response
  • Accredit deploy low assurance platforms
  • SE Linux
  • Virtual Machine Monitor, e.g., NetTop
  • Trusted Solaris
  • DODIIS Trusted Workstation (DTW)
  • Guards and filters, e.g., Radiant Mercury, ISSE
  • Ignore that low assurance is unevaluatable
  • Technology can only assure finding obvious
    flaws
  • Attackers rule, disasters are likely
  • Exacerbate risks with plans to get well
  • Reliance on added on security makes things worse

5
OutlineWatchmen Sound the Alarm
  • Subversion threat is serious and growing
  • Unconscionable use of overly weak solution
  • Verifiable protection technology languishes

6
Cross-Domain Solution (CDS)(Uninformed Executive
Perception)
High Network Domain
Executive Perception of current CDSs Controlled
sharing (Believes CDS prevents high information
from flowing down)
Low Network Domain
7
Challenge is CDS Connectivity(A theorem from
science)
Corporate or Government High Networks Domain
Low Networks or Internet Domain
8
Cyber Warfare Subversion Likely
  • Tiger Teams subversion is tool of choice
  • http//www.airpower.maxwell.af.mil/airchronicles/a
    ureview/1979/jan-feb/schell.html
  • http//www.acsac.org/2002/papers/classic-multics.p
    df
  • Adversaries can use 30 years experience
  • The threat has only increased with time
  • Trojan horses application subversion
  • Thousands in products, e.g., viruses and Easter
    Eggs
  • Trap doors infrastructure subversion
  • Root kits, malware
  • Buy IT solution from your mortal enemy?
  • Better figure out how, because likely you are
  • Software of uncertain pedigree

9
Trojan Horse Attack Malicious code in use of CDS
  • Hidden functionality in application CDS
  • Adversary usually outsider (stranger to victim)
  • Can be surreptitiously distributed
  • Application user is unwitting agent
  • Requires victim (user) to execute application
  • Constrained by system security controls on victim
  • Exploitation undetected controlled by remote
    design
  • Current networks open vast opportunity
  • Testing review to detect is futile and
    delusional
  • Little mitigation in applications and most CDS
    systems

10
Trojan Horse AttackCross-Domain Solution (CDS)
High Network Domain
Determined adversary understanding of reality of
current CDSs Trojan horses exfiltrate
data (Substantial high data leakage to low
domain)
Low Network Domain
11
Trap Door Attack Subversion of Infrastructure
  • Malicious code in platform
  • Software, e.g., operating system, drivers, tools
  • Hardware/firmware, e.g., BIOS in PROM
  • Artifice can be embedded any time during
    lifecycle
  • Adversary chooses time of activation
  • Can be remotely activated/deactivated
  • Unique key or trigger known only to attacker
  • Needs no (even unwitting) victim use or
    cooperation
  • Efficacy and Effectiveness Demonstrated
  • Exploitable by malicious applications, e.g.,
    Trojans
  • Long-term, high potential future benefit to
    adversary
  • Testing not at all a practical way to detect

12
Trap Door AttackCross-Domain Solution (CDS)
High Network Domain
Determined adversary understanding of reality of
current CDSs Trap door gives low attacker access
to data (Low has repeated, undetected access to
high information)
Low Network Domain
13
Summary of Subversion Process
  • Step 1 infrastructure subversion
  • Integral to installed software, e.g. trap door
  • Added to software suite during lifecycle, e.g.,
    viruses
  • Big attraction easy to avoid being apprehended
  • Perpetrator not present at time of attack
  • Step 2 execution of artifice software
  • Can activate by unique key or trigger
  • NPS demo, 12 lines of code (LOC) subverts Linux
    NFS
  • Step 3 (optional) two card loader
  • Bootstrap small toehold for diverse customized
    attacks
  • NPS demo with 6 LOC to subvert XP and then IPSEC
  • Step 4 access unauthorized domain data

14
CDS Subversion Vulnerability
Corporate or Government High Networks Domain
Low Networks or Internet Domain
15
OutlineWatchmen Sound the Alarm
  • Subversion threat is serious and growing
  • Low cost, low risk to attacker, virtually
    undetectable
  • Highly effective, extensible, e.g., two card
    loader
  • Unconscionable use of overly weak solution
  • Verifiable protection technology languishes

16
Weakest Link is Flawed Solutions
  • Single flawed interface exposes whole net
  • Defense in depth as used is myth ignores
    subversion
  • Plethora of band aid solutions, e.g., firewall,
    IDS,
  • Low assurance CDSs, e.g., guards invite disaster
  • Like WW II crypto use sent thousands to watery
    grave
  • Secure application is non-computable
  • Determining it is multilevel secure (MLS) is
    impossible
  • Common practice and policy cannot change science
  • Equivalent to stream of perpetual motion patents

17
Secure Pixie Dust Components
  • Vested interest research sand boxes
  • Saps funds and attention with little
    accountability
  • Implied accreditation shortcut inhibit warnings
  • Subsidized contribution drive out system
    solutions
  • Hard problems for MLS systems remain
  • Encryption opiate of the naive needs trusted
    control
  • No security hardware, e.g., TPM, composition
    defined
  • Virtualization hardware need high assurance
    monitor
  • Separation kernel needs reference monitor
  • Security from guard script language is
    non-computable
  • CDS can be no better than platform it is on

18
Flaws in System Solutions Missed
  • False security from isolated components
  • Accreditors cannot responsibly judge flaws
  • Lack approved system security evaluation
    criteria
  • Unskilled in assessing methods to address
    subversion
  • Only a verifiably secure CDS is evaluatable
  • On verifiable trusted computing base (TCB)
    platform
  • Last coherent codification in TCSEC Class A1
  • System security must be designed in, not bolted
    on
  • Includes composition of partitions and subsets

19
Impact Indications and Warning
  • Vendor downloadable product subverted
  • Cracker gained user-level access to modify
    the download file. . . . you pray never happens,
    but it did.
  • WordPress, reported on wordpress.org, March 2,
    2007
  • Intrusion can replace traditional espionage
  • you can exfiltrate massive amounts of
    information electronically from the comfort of
    your own office.
  • Joel Brenner, counterintelligence executive in
    CNN.com, October 19, 2007
  • SW subversion steals credit/debit card data
  • an illicit and unauthorized computer
    program was secretly installed at every one of
    its 300-plus stores.
  • Hannaford Bros. Co., reported on eWeek.com,
    March 28, 2008
  • Military recognition of subversion
  • vulnerabilities are introduced during
    manufacturing that an adversary can then
    exploit.
  • Lt. Gen. Robert Elder, USAF, at Cyber Warfare
    Conference, April 2008

20
State of Cyber Warfare Defense
Nearly thirty years ago, Roger Schell accurately
predicted systems not designed for the modern
Internet threats, poorly implemented, forcing the
installation of nearly daily security patches,
and many millions of systems being compromised on
an ongoing basis.  Dave Safford, Manager,
IBM Global Security Analysis Lab http//www.res
earch.ibm.com/gsal/tcpa/why_tcpa.pdf
21
OutlineWatchmen Sound the Alarm
  • Subversion threat is serious and growing
  • Low cost, low risk to attacker, virtually
    undetectable
  • Highly effective, extensible, e.g., two card
    loader
  • Unconscionable use of overly weak solution
  • Current practice invites catastrophic mission
    impacts
  • Pixie dust of secure components gives false
    security
  • Verifiable protection technology languishes

22
Sharing Data AcrossDisparate Domains Need MLS
  • Isolation obstructs missions
  • Tactical situational awareness
  • Efficient utilization of resources

High Network Domain
Low Network Domain
23
Share but Resist Subversion
High Network Domain
Impossible to find or Fix
an arms race we cannot win IBM VP at RSA,
Apr 2008
TCB still prevents information from flowing down
Low Network Domain
24
Proven Methods Evaluated and Deployed TCB
  • Mature, proven trusted systems technology
  • TCSEC/TNI need not be used as organizational
    utterance for policy

Balanced assurance, composable subsets for systems
25
Verifiably Secure Class A1 / EAL7
Common Criteria
TCSEC
NO VULNERABILITIES
A1
EAL7
EAL6
B3
UNKNOWN VULNERABILITIES
B2
EAL5
Beware of No Mans Land
B1
EAL4
C2
EAL3
C1
EAL2
Only Class A1/EAL7 excludes malicious software
26
Proven Solution Security Kernel
The only way we know . . . to build highly
secure software systems of any practical interest
is the kernel approach. -- ARPA Review Group,
1970s (Butler Lampson, Draper Prize recipient)
A computable solution to process simultaneously a
range of sensitive information
27
Illustrative MLS Demonstrations,(at UNO on COTS
GTNP Kernel)
  • Multilevel Secure Web Server
  • Browse down
  • Unhackable web resources
  • Multilevel FTP Server
  • Covert Communications Proxy

28
Multilevel Web Server Demo
High Network Domain
Low Network Domain
High integrity administration (and Web page
authoring)
29
Illustrative MLS Demonstrations,(at UNO on COTS
GTNP Kernel)
  • Multilevel Secure Web Server
  • Multilevel FTP Server
  • High network users see high low files
  • Low network users cannot see high files
  • Covert Communications Proxy

30
Multilevel FTP Server Demo
Low Network Domain
High Network Domain
31
Illustrative MLS Demonstrations,(at UNO on COTS
GTNP Kernel)
  • Multilevel Secure Web Server
  • Multilevel FTP Server
  • Covert Communications Proxy
  • Low sources put files onto high servers

32
Covert Comms Proxy Demo
Low Network Domain
High Network Domain
File Server
33
MLS Demonstrations Summary (at UNO on COTS GTNP
Kernel)
  • Multilevel Secure Web Server
  • Browse down
  • Unhackable web resources
  • Multilevel FTP Server
  • High network users see high low files
  • Low network users cannot see high files
  • Covert Communications Proxy
  • Low sources put files onto high servers

34
Previously Delivered MLS Solutions Validated
Verifiable Technology
  • BLACKER VPN (NSA product on GTNP)
  • HSRP Pentagon MLS gateway (on GTNP)
  • CHOTS Guard UK MOD system (on GTNP)
  • COTS Trusted Oracle 7 (GTNP design)
  • SACLANT client/server (GTNP design)
  • AFFPB Crypto-seal guard (POC on GTNP)

35
Examples of More Opportunities to Apply
Verifiable Technology
  • MLS Networked Windows (Thin Client)
  • MLS network attached storage (NAS)
  • Guards and filters
  • Real-time exec (e.g., SCADA appliances)
  • Verifiably secure MLS Linux, Unix, ix
  • Identity mgt (PKI quality attribute)
  • MLS handheld network devices (PDA)

36
Cost Benefit of Evaluated Protection
Capabilities
COSTS TO DEVELOP
BENEFIT TO USER
THREAT
C1
TCSEC Rating
Common Criteria Assurance
EAL2
Best Commercial Practice
37
ConclusionWatchmen Sound the Alarm
  • Subversion threat is serious and growing
  • Low cost, low risk to attacker, virtually
    undetectable
  • Highly effective, extensible, e.g., two card
    loader
  • Unconscionable use of overly weak solution
  • Current practice invites catastrophic mission
    impacts
  • Pixie dust of secure components gives false
    security
  • Verifiable protection technology languishes
  • Government impedes proven COTS verifiable MLS
  • Competition from Government in funding
    experiments
  • Discrimination in evaluation, e.g., no
    certificates, no RAMP
  • Users fail to validate product hypothesis to
    vendors
  • Often uninformed/misinformed by security
    professionals

38
Are the System Security Watchmen Asleep?
ICIW 2008 University of Nebraska Omaha April 24,
2008
Dr. Roger R. Schell Roger.Schell_at_aesec.com
Write a Comment
User Comments (0)
About PowerShow.com