æSec - Academic Conferences Limited

solidseniorServers

Dec 9, 2013 (3 years and 8 months ago)

80 views



æ
Sec


0

Are the System Security



Watchmen Asleep?


Dr. Roger R. Schell

Roger.Schell@aesec.com


ICIW 2008

University of Nebraska Omaha

April 24, 2008


æ
Sec


1

Overview


Executives often clueless about security


They rely on professionals to be their “watchmen”


“Acceptable risk” based on gross misperception


Serious failure by security professionals


Don’t warn of adversaries’ subversion attack tools


Don’t warn that current solutions are highly ineffective


“Watchmen” responsible for likely disasters


“Blood on the hands” of those not sounding alarm


Time to sound alarm
--

need radical change


Proven verifiable protection is available, but languishes







æ
Sec


2

Air Gap Between Domains Is Secure



But Crippling …

“Lack of multilevel security (MLS) not only slows information sharing but
often prevents it altogether“
-

Congressional Report on 9/11

SIPRNET

GWAN

(IWS)

NSANET

(IWS)

JWICS

(IWS)

Site

Ops Net

JWICS VTC

OSINT

READOUT

Multi
-
Net

(IWS)

æ
Sec


3

Misguided Management Response


Accredit & deploy low assurance platforms


SE Linux


Virtual Machine Monitor, e.g., NetTop


Trusted Solaris


DODIIS Trusted Workstation (DTW)


“Guards” and filters, e.g., Radiant Mercury, ISSE


Ignore that low assurance is unevaluatable


Technology can only assure finding “obvious flaws”


Attackers rule, disasters are likely


Exacerbate risks with plans to get well


Reliance on “added on” security makes things worse

æ
Sec


4

Outline:

Watchmen


Sound the Alarm


Subversion threat is serious and growing





Unconscionable use of overly weak solution




Verifiable protection technology languishes




æ
Sec


5

Operating

System

Cross Domain

Solution (CDS)

Cross
-
Domain Solution (CDS)

(Uninformed Executive Perception)


Low

Network

Domain

Executive

Perception

of
current CDSs:

Controlled
sharing

(Believes CDS
prevents high
information from
flowing down)


High

Network

Domain

æ
Sec


6

Challenge is CDS Connectivity

(A “theorem” from science)

Low Networks or
Internet Domain

Corporate or Government
High Networks Domain

Computer Security Intermediate
-
Value Theorem


(Dr. David Bell, 2006:

http://www.acsac.org/2005/papers/Bell.pdf
)


Connection of disparate domains is multilevel

æ
Sec


7

Cyber Warfare Subversion Likely


Tiger Teams: subversion is tool of choice


http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jan
-
feb/schell.html


http://www.acsac.org/2002/papers/classic
-
multics.pdf



Adversaries can use 30 + years experience


The threat has only increased with time


Trojan horses


application subversion


Thousands in products, e.g., viruses and “Easter Eggs”


Trap doors


infrastructure subversion



Root kits, malware


Buy IT solution from your mortal enemy?


Better figure out how, because likely you are


Software of uncertain pedigree

æ
Sec


8

Trojan Horse Attack:

Malicious code in use of CDS


Hidden functionality in application & CDS


Adversary usually outsider (stranger to victim)


Can be surreptitiously distributed



Application user is unwitting agent


Requires victim (user) to execute application


Constrained by system security controls on victim


Exploitation undetected & controlled by remote design



Current networks’ open vast opportunity


Testing & review to detect is futile and delusional


Little mitigation in applications and most CDS systems

æ
Sec


9

Operating

System

Cross Domain

Solution (CDS)

Trojan Horse Attack:

Cross
-
Domain Solution (CDS)

Determined
adversary
understanding
of

reality

of
current CDSs:

Trojan horses
exfiltrate data


(Substantial high
data leakage to low
domain)


Low

Network

Domain


High

Network

Domain

æ
Sec


10

Trap Door Attack:

Subversion of Infrastructure


Malicious code in platform


Software, e.g., operating system, drivers, tools


Hardware/firmware, e.g., BIOS in PROM


Artifice can be embedded any time during lifecycle


Adversary chooses time of activation


Can be remotely activated/deactivated


Unique “key” or trigger known only to attacker


Needs no (even unwitting) victim use or cooperation


Efficacy and Effectiveness Demonstrated


Exploitable by malicious applications, e.g., Trojans


Long
-
term, high potential future benefit to adversary


Testing not at all a practical way to detect

æ
Sec


11

Operating

System

Cross Domain

Solution (CDS)

Trap Door Attack:

Cross
-
Domain Solution (CDS)

Determined
adversary
understanding
of

reality

of
current CDSs:

Trap door gives
low attacker
access to data


(Low has repeated,
undetected access to
high information)


Low

Network

Domain


High

Network

Domain

æ
Sec


12

Summary of Subversion Process


Step #1


infrastructure subversion


Integral to installed software, e.g. trap door


Added to software suite during lifecycle, e.g., viruses


Big attraction: easy to avoid being apprehended


Perpetrator not present at time of attack


Step #2


execution of artifice software


Can activate by unique “key” or trigger


NPS demo, 12 lines of code (LOC) subverts Linux NFS


Step #3


(optional) “two card loader”


Bootstrap small toehold for diverse customized attacks


NPS demo with 6 LOC to subvert XP and then IPSEC


Step #4


access unauthorized domain data

æ
Sec


13

CDS Subversion Vulnerability

Low Networks or
Internet Domain

Corporate or Government
High Networks Domain


Computer Security Intermediate
-
Value Theorem:


Connection of disparate domains is multilevel

* CDSs not verifiably multilevel secure (MLS)

Loss of Secrecy

Loss of Integrity

*

æ
Sec


14

Outline:

Watchmen


Sound the Alarm


Subversion threat is serious and growing



Low cost, low risk to attacker, virtually undetectable


Highly effective, extensible, e.g., “two card loader”


Unconscionable use of overly weak solution




Verifiable protection technology languishes




æ
Sec


15

Weakest Link is Flawed Solutions



Single flawed interface exposes whole net


“Defense in depth” as used is myth: ignores subversion


Plethora of “band aid” solutions, e.g., firewall, IDS, …


Low assurance CDSs, e.g., guards invite disaster


Like WW II crypto use sent thousands to watery grave



“Secure application” is non
-
computable


Determining it is multilevel secure (MLS) is impossible


Common practice and policy cannot change science


Equivalent to stream of “perpetual motion” patents

æ
Sec


16

“Secure” Pixie Dust Components


Vested interest research “sand boxes”


Saps funds and attention with little accountability


Implied accreditation shortcut inhibit warnings


Subsidized contribution drive out system solutions


Hard problems for MLS
systems

remain


Encryption “opiate of the naive” needs trusted control


No security hardware, e.g., TPM, composition defined


Virtualization hardware need high assurance monitor


Separation kernel needs reference monitor


Security from guard script language is non
-
computable


CDS can be no better than platform it is on

æ
Sec


17


Flaws in System Solutions Missed


False security from isolated components



Accreditors cannot responsibly judge flaws


Lack “approved”
system

security evaluation criteria


Unskilled in assessing methods to address subversion



Only a verifiably secure CDS is evaluatable


On verifiable trusted computing base (TCB) platform


Last coherent codification in TCSEC “
Class A1



System

security must be designed in, not bolted on


Includes composition of “partitions” and “subsets”

æ
Sec


18

Impact Indications and Warning


Vendor downloadable product subverted


“Cracker gained user
-
level access to modify the
download file. . . . you pray never happens, but it did.”




WordPress, reported on wordpress.org, March 2, 2007


Intrusion can replace traditional espionage


“you can exfiltrate massive amounts of information
electronically from the comfort of your own office.”




Joel Brenner, counterintelligence executive in CNN.com, October 19, 2007


SW subversion steals credit/debit card data


“an ‘illicit and unauthorized computer program’ was
secretly installed at every one of its 300
-
plus stores.”




Hannaford Bros. Co., reported on eWeek.com, March 28, 2008


Military recognition of subversion


“vulnerabilities are introduced during manufacturing
that an adversary can then exploit.”




Lt. Gen. Robert Elder, USAF, at Cyber Warfare Conference, April 2008

æ
Sec


19

State of Cyber Warfare Defense

“Nearly thirty years ago, Roger Schell accurately predicted:
systems not
designed for the modern Internet threats
, poorly implemented, forcing
the installation of nearly daily security patches, and
many millions of
systems being compromised on an ongoing basis.







Dave Safford, Manager, IBM Global Security Analysis Lab




http://www.research.ibm.com/gsal/tcpa/why_tcpa.pdf

æ
Sec


20

Outline:

Watchmen


Sound the Alarm


Subversion threat is serious and growing


Low cost, low risk to attacker, virtually undetectable


Highly effective, extensible, e.g., “two card loader”


Unconscionable use of overly weak solution


Current practice invites catastrophic mission impacts


Pixie dust of “secure” components gives false security


Verifiable protection technology languishes




æ
Sec


21

Multi
-
Level

Secure

Connection


Any

low connection => MLS


Must be
Multi
-
Level

Secure

(MLS)


Low/Medium assurance ineffective


No protection against subversion


Vulnerabilities unknown (unknowable)


Class A1 resists subversion


Is verifiably secure (high assurance)


Verifies
absence

of malicious code


Key enabler for CDS accreditation


High

Network

Domain

Sharing Data Across

Disparate Domains Need MLS


Isolation obstructs missions



Tactical situational awareness


Efficient utilization of resources


Low

Network

Domain

æ
Sec


22

Share but Resist Subversion


Low

Network

Domain

Adversary

plants trap door


or Trojan horse

Verifiably Secure

TCB


Cross Domain

Solution (CDS)


High

Network

Domain

TCB still
prevents
information
from flowing
down

“an arms race we cannot win”




IBM VP at RSA, Apr 2008

Impossible

to find or Fix

æ
Sec


23

Proven Methods

Evaluated and Deployed TCB

Balanced assurance, composable subsets for
systems



Mature, proven trusted systems
technology



TCSEC/TNI need not be used as organizational utterance for policy


æ
Sec


24

Verifiably Secure: Class A1 / EAL7

Common

Criteria

TCSEC


A1

EAL7


UNKNOWN VULNERABILITIES

NO

VULNERABILITIES

Beware of “No Man’s Land”

B2

B3

C1

EAL2

EAL6

EAL5

B1

C2

EAL4

EAL3

Only

Class A1/EAL7 excludes malicious software

æ
Sec


25

Security

Services

Appliances

Applications


Operating

System

Proven Solution: Security Kernel

Verifiably

Secure

Platform


Verifiable

Security Kernel

“The only way we know . . . to build highly secure software systems
of any practical interest is the kernel approach.”



--

ARPA Review Group, 1970s (Butler Lampson, Draper Prize recipient)

Intel x.86

Hardware Platform

Disk

Network

Monitor/

Keyboard

A computable solution to process simultaneously

a range of sensitive information

æ
Sec


26

Illustrative MLS Demonstrations,

(at UNO on COTS GTNP Kernel)


Multilevel Secure Web Server


Browse down


Unhackable web resources



Multilevel FTP Server





Covert Communications Proxy


æ
Sec


27

Multilevel Web Server Demo

High integrity
administration (and
Web page authoring)

Browser

Browser


High

Network

Domain

Verifiable TCB

(e.g., Class A1 GTNP)


Multilevel Web

Server App


Low

Network

Domain

æ
Sec


28

Illustrative MLS Demonstrations,

(at UNO on COTS GTNP Kernel)


Multilevel Secure Web Server



Multilevel FTP Server


High network users see high & low files


Low network users cannot see high files



Covert Communications Proxy

æ
Sec


29

Multilevel FTP Server Demo


High

Network

Domain

Verifiable TCB

(e.g., Class A1 GTNP)


Multilevel FTP

Server App


Low

Network

Domain

æ
Sec


30

Illustrative MLS Demonstrations,

(at UNO on COTS GTNP Kernel)


Multilevel Secure Web Server



Multilevel FTP Server



Covert Communications Proxy


Low sources put files onto high servers

æ
Sec


31

Covert Comms Proxy Demo


High

Network

Domain

Verifiable TCB

(e.g., Class A1 GTNP)


MLS Covert

Comms Proxy


Low

Network

Domain

File

Server

æ
Sec


32

MLS Demonstrations Summary

(at UNO on COTS GTNP Kernel)


Multilevel Secure Web Server


Browse down


Unhackable web resources



Multilevel FTP Server


High network users see high & low files


Low network users cannot see high files



Covert Communications Proxy


Low sources put files onto high servers

æ
Sec


33

Previously Delivered MLS Solutions
Validated Verifiable Technology


BLACKER


VPN (NSA product on GTNP)



HSRP


Pentagon MLS gateway (on GTNP)



CHOTS Guard


UK MOD system (on GTNP)



COTS Trusted Oracle 7


(GTNP design)



SACLANT client/server (GTNP design)



AFFPB Crypto
-
seal guard (POC on GTNP)

æ
Sec


34

Examples of More Opportunities to
Apply Verifiable Technology


MLS Networked Windows (Thin Client)


MLS network attached storage (NAS)


Guards and filters


Real
-
time exec (e.g., SCADA appliances)


Verifiably secure MLS Linux, Unix, *ix


Identity mgt (PKI quality attribute)


MLS handheld network devices (PDA)

æ
Sec


35

Best Commercial
Practice

C1

EAL
2

C2

EAL
3

Resistant to
Trojan horses

B1

EAL
4

B2

EAL
5

B3

EAL
6

Insurable, No Trap Doors;
Immune to Trojan Horses

A1

EAL
7

BENEFIT
TO USER

TCSEC

Rating

Common

Criteria

Assurance

COSTS TO
DEVELOP

Development &
evaluation cost

for
new

verifiably
secure

product

Cost & Benefit of Evaluated
Protection Capabilities

THREAT

Development &
evaluation cost if
was rated, e.g.,
Aesec’s Class A1
GTNP

æ
Sec


36

Conclusion:

Watchmen


Sound the Alarm


Subversion threat is serious and growing


Low cost, low risk to attacker, virtually undetectable


Highly effective, extensible, e.g., “two card loader”


Unconscionable use of overly weak solution


Current practice invites catastrophic mission impacts


Pixie dust of “secure” components gives false security


Verifiable protection technology languishes


Government impedes proven COTS verifiable MLS


“Competition” from Government in funding experiments


Discrimination in evaluation, e.g., no “certificates”, no RAMP



Users fail to validate product hypothesis to vendors


Often uninformed/misinformed by security professionals



æ
Sec


37

Are the System Security



Watchmen Asleep?


Dr. Roger R. Schell

Roger.Schell@aesec.com


ICIW 2008

University of Nebraska Omaha

April 24, 2008