Embed Size (px)
Citation preview
æSec™
1
Are the System Security
Watchmen Asleep?
Dr. Roger R. [email protected]
ICIW 2008University of Nebraska OmahaApril 24, 2008
æSec™
2
Overview
Executives often clueless about security– They rely on professionals to be their “watchmen”– “Acceptable risk” based on gross misperception
Serious failure by security professionals – Don’t warn of adversaries’ subversion attack tools – Don’t warn that current solutions are highly ineffective
“Watchmen” responsible for likely disasters– “Blood on the hands” of those not sounding alarm
Time to sound alarm -- need radical change – Proven verifiable protection is available, but
languishes
æSec™
3
Air Gap Between Domains Is Secure– But Crippling …
“Lack of multilevel security (MLS) not only slows information sharing but often prevents it altogether“ - Congressional Report on 9/11
SIPRNETSIPRNET
GWANGWAN(IWS)(IWS)
NSANETNSANET(IWS)(IWS) JWICSJWICS
(IWS)(IWS)
SiteSiteOps NetOps Net
JWICS VTCJWICS VTC
OSINTOSINT
READOUTREADOUTMulti-NetMulti-Net
(IWS)(IWS)
æSec™
4
Misguided Management Response Accredit & deploy low assurance platforms
– SE Linux– Virtual Machine Monitor, e.g., NetTop– Trusted Solaris– DODIIS Trusted Workstation (DTW) – “Guards” and filters, e.g., Radiant Mercury, ISSE
Ignore that low assurance is unevaluatable– Technology can only assure finding “obvious flaws”– Attackers rule, disasters are likely
Exacerbate risks with plans to get well – Reliance on “added on” security makes things worse
æSec™
5
Outline:Watchmen – Sound the Alarm Subversion threat is serious and
growing
Unconscionable use of overly weak solution
Verifiable protection technology languishes
æSec™
6
Operating System
Cross DomainSolution (CDS)
Cross-Domain Solution (CDS)(Uninformed Executive Perception)
LowNetworkDomain
LowNetworkDomain
Executive Perception of current CDSs:
Controlled sharing
(Believes CDS prevents high information from flowing down)
HighNetworkDomain
HighNetworkDomain
æSec™
7
Challenge is CDS Connectivity(A “theorem” from science)
Low Networks or Internet
Domain
Corporate or Government High Networks Domain
Computer Security Intermediate-Value Theorem (Dr. David Bell, 2006: http://www.acsac.org/2005/papers/Bell.pdf)
Connection of disparate domains is multilevel
æSec™
8
Cyber Warfare Subversion Likely Tiger Teams: subversion is tool of choice
– http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jan-feb/schell.html
– http://www.acsac.org/2002/papers/classic-multics.pdf
Adversaries can use 30 + years experience– The threat has only increased with time– Trojan horses – application subversion
• Thousands in products, e.g., viruses and “Easter Eggs”
– Trap doors – infrastructure subversion• Root kits, malware
Buy IT solution from your mortal enemy?– Better figure out how, because likely you are– Software of uncertain pedigree
æSec™
9
Trojan Horse Attack: Malicious code in use of CDS Hidden functionality in application & CDS
– Adversary usually outsider (stranger to victim)– Can be surreptitiously distributed
Application user is unwitting agent– Requires victim (user) to execute application– Constrained by system security controls on victim– Exploitation undetected & controlled by remote design
Current networks’ open vast opportunity– Testing & review to detect is futile and delusional – Little mitigation in applications and most CDS systems
æSec™
10
Operating System
Cross DomainSolution (CDS)
Trojan Horse Attack:Cross-Domain Solution (CDS)
Determined adversary
understanding of reality of current CDSs:
Trojan horses exfiltrate data
(Substantial high data leakage to low domain) Low
NetworkDomain
LowNetworkDomain
HighNetworkDomain
HighNetworkDomain
æSec™
11
Trap Door Attack: Subversion of Infrastructure Malicious code in platform
– Software, e.g., operating system, drivers, tools– Hardware/firmware, e.g., BIOS in PROM– Artifice can be embedded any time during lifecycle– Adversary chooses time of activation
Can be remotely activated/deactivated– Unique “key” or trigger known only to attacker– Needs no (even unwitting) victim use or cooperation
Efficacy and Effectiveness Demonstrated– Exploitable by malicious applications, e.g., Trojans– Long-term, high potential future benefit to adversary– Testing not at all a practical way to detect
æSec™
12
Operating System
Cross DomainSolution (CDS)
Trap Door Attack:Cross-Domain Solution (CDS)
Determined adversary
understanding of reality of current CDSs:
Trap door gives low attacker
access to data
(Low has repeated, undetected access to high information)
LowNetworkDomain
LowNetworkDomain
HighNetworkDomain
HighNetworkDomain
æSec™
13
Summary of Subversion Process Step #1 – infrastructure subversion
– Integral to installed software, e.g. trap door – Added to software suite during lifecycle, e.g., viruses– Big attraction: easy to avoid being apprehended
• Perpetrator not present at time of attack
Step #2 – execution of artifice software– Can activate by unique “key” or trigger – NPS demo, 12 lines of code (LOC) subverts Linux NFS
Step #3 – (optional) “two card loader”– Bootstrap small toehold for diverse customized attacks – NPS demo with 6 LOC to subvert XP and then IPSEC
Step #4 – access unauthorized domain data
æSec™
14
CDS Subversion Vulnerability
Low Networks or Internet
Domain
Corporate or Government High Networks Domain
Computer Security Intermediate-Value Theorem: Connection of disparate domains is multilevel
* CDSs not verifiably multilevel secure (MLS)
Loss of Secrecy
Loss of Integrity
*
æSec™
15
Outline:Watchmen – Sound the Alarm Subversion threat is serious and growing
– Low cost, low risk to attacker, virtually undetectable
– Highly effective, extensible, e.g., “two card loader”
Unconscionable use of overly weak solution
Verifiable protection technology languishes
æSec™
16
Weakest Link is Flawed Solutions
Single flawed interface exposes whole net– “Defense in depth” as used is myth: ignores subversion– Plethora of “band aid” solutions, e.g., firewall, IDS, …– Low assurance CDSs, e.g., guards invite disaster– Like WW II crypto use sent thousands to watery grave
“Secure application” is non-computable– Determining it is multilevel secure (MLS) is impossible– Common practice and policy cannot change science– Equivalent to stream of “perpetual motion” patents
æSec™
17
“Secure” Pixie Dust Components Vested interest research “sand boxes”
– Saps funds and attention with little accountability– Implied accreditation shortcut inhibit warnings– Subsidized contribution drive out system solutions
Hard problems for MLS systems remain– Encryption “opiate of the naive” needs trusted control– No security hardware, e.g., TPM, composition defined– Virtualization hardware need high assurance monitor– Separation kernel needs reference monitor– Security from guard script language is non-computable
CDS can be no better than platform it is on
æSec™
18
Flaws in System Solutions Missed False security from isolated components
Accreditors cannot responsibly judge flaws– Lack “approved” system security evaluation criteria– Unskilled in assessing methods to address
subversion
Only a verifiably secure CDS is evaluatable– On verifiable trusted computing base (TCB) platform – Last coherent codification in TCSEC “Class A1”– System security must be designed in, not bolted on– Includes composition of “partitions” and “subsets”
æSec™
19
Impact Indications and Warning Vendor downloadable product subverted
“Cracker gained user-level access to modify the download file. . . . you pray never happens, but it did.”
– WordPress, reported on wordpress.org, March 2, 2007
Intrusion can replace traditional espionage “you can exfiltrate massive amounts of information
electronically from the comfort of your own office.”– Joel Brenner, counterintelligence executive in CNN.com, October 19, 2007
SW subversion steals credit/debit card data “an ‘illicit and unauthorized computer program’ was
secretly installed at every one of its 300-plus stores.”– Hannaford Bros. Co., reported on eWeek.com, March 28, 2008
Military recognition of subversion “vulnerabilities are introduced during manufacturing
that an adversary can then exploit.”– Lt. Gen. Robert Elder, USAF, at Cyber Warfare Conference, April 2008
æSec™
20
State of Cyber Warfare Defense
“Nearly thirty years ago, Roger Schell accurately predicted: systems not designed for the modern Internet threats, poorly implemented, forcing the installation of nearly daily security patches, and many millions of systems being compromised on an ongoing basis.”
Dave Safford, Manager, IBM Global Security Analysis Labhttp://www.research.ibm.com/gsal/tcpa/why_tcpa.pdf
æSec™
21
Outline:Watchmen – Sound the Alarm Subversion threat is serious and growing
– Low cost, low risk to attacker, virtually undetectable
– Highly effective, extensible, e.g., “two card loader”
Unconscionable use of overly weak solution– Current practice invites catastrophic mission
impacts– Pixie dust of “secure” components gives false
security Verifiable protection technology
languishes
æSec™
22
Multi-LevelSecure
Connection
Any low connection => MLS– Must be Multi-Level Secure
(MLS)– Low/Medium assurance
ineffective• No protection against subversion • Vulnerabilities unknown
(unknowable)
Class A1 resists subversion– Is verifiably secure (high
assurance)– Verifies absence of malicious
code– Key enabler for CDS
accreditation
HighNetworkDomain
HighNetworkDomain
Sharing Data AcrossDisparate Domains Need MLS
Isolation obstructs missions
– Tactical situational awareness – Efficient utilization of resources
LowNetworkDomain
LowNetworkDomain
æSec™
23
Share but Resist Subversion
LowNetworkDomain
LowNetworkDomain
Adversaryplants trap door or Trojan horse
Verifiably Secure TCB
Cross DomainSolution (CDS)
HighNetworkDomain
HighNetworkDomain
TCB still prevents information from flowing down
“an arms race we cannot win” – IBM VP at RSA, Apr 2008
Impossible to find or Fix
æSec™
24
Proven Methods Evaluated and Deployed TCB
Balanced assurance, composable subsets for systems
Mature, proven trusted systems technology– TCSEC/TNI need not be used as organizational utterance for policy
æSec™
25
Verifiably Secure: Class A1 / EAL7
CommonCriteria TCSEC
A1EAL7
UNKNOWN VULNERABILITIES
NO VULNERABILITIES
Beware of “No Man’s Land”
B2
B3
C1
EAL2
EAL6EAL5
B1C2
EAL4EAL3
Only Class A1/EAL7 excludes malicious software
æSec™
26
SecurityServices
AppliancesApplications
OperatingSystem
Proven Solution: Security Kernel
VerifiablySecure
Platform
Verifiable Security Kernel
“The only way we know . . . to build highly secure software systems of any practical interest is the kernel approach.”
-- ARPA Review Group, 1970s (Butler Lampson, Draper Prize recipient)
Intel x.86 Hardware Platform
DiskNetwork Monitor/Keyboard
A computable solution to process simultaneouslya range of sensitive information
æSec™
27
Illustrative MLS Demonstrations,(at UNO on COTS GTNP Kernel) Multilevel Secure Web Server– Browse down– Unhackable web resources
Multilevel FTP Server
Covert Communications Proxy
æSec™
28
Multilevel Web Server Demo
High integrity administration (and
Web page authoring)
Browser Browser
HighNetworkDomain
HighNetworkDomain
Verifiable TCB(e.g., Class A1 GTNP)
Multilevel Web Server App
LowNetworkDomain
LowNetworkDomain
æSec™
29
Illustrative MLS Demonstrations,(at UNO on COTS GTNP Kernel) Multilevel Secure Web Server
Multilevel FTP Server– High network users see high & low
files– Low network users cannot see high
files
Covert Communications Proxy
æSec™
30
Multilevel FTP Server Demo
HighNetworkDomain
HighNetworkDomain
Verifiable TCB(e.g., Class A1 GTNP)
Multilevel FTP Server App
LowNetworkDomain
LowNetworkDomain
æSec™
31
Illustrative MLS Demonstrations,(at UNO on COTS GTNP Kernel) Multilevel Secure Web Server
Multilevel FTP Server
Covert Communications Proxy– Low sources put files onto high
servers
æSec™
32
Covert Comms Proxy Demo
HighNetworkDomain
HighNetworkDomain
Verifiable TCB(e.g., Class A1 GTNP)
MLS CovertComms Proxy
LowNetworkDomain
LowNetworkDomain
FileServer
æSec™
33
MLS Demonstrations Summary
(at UNO on COTS GTNP Kernel) Multilevel Secure Web Server
– Browse down– Unhackable web resources
Multilevel FTP Server– High network users see high & low files– Low network users cannot see high files
Covert Communications Proxy– Low sources put files onto high servers
æSec™
34
Previously Delivered MLS Solutions Validated Verifiable Technology BLACKER – VPN (NSA product on GTNP)
HSRP – Pentagon MLS gateway (on GTNP)
CHOTS Guard – UK MOD system (on GTNP)
COTS Trusted Oracle 7 – (GTNP design)
SACLANT client/server (GTNP design)
AFFPB Crypto-seal guard (POC on GTNP)
æSec™
35
Examples of More Opportunities to Apply Verifiable Technology MLS Networked Windows (Thin Client)
MLS network attached storage (NAS)
Guards and filters
Real-time exec (e.g., SCADA appliances)
Verifiably secure MLS Linux, Unix, *ix
Identity mgt (PKI quality attribute)
MLS handheld network devices (PDA)
æSec™
36
Best Commercial Practice
C1
EAL2
C2
EAL3
Resistant to Trojan horses
B1
EAL4
B2
EAL5
B3
EAL6
Insurable, No Trap Doors; Immune to Trojan Horses
A1
EAL7
BENEFIT TO USER
TCSECRating
CommonCriteria Assurance
COSTS TO DEVELOP
Development & evaluation costfor new verifiably secure product
Cost & Benefit of Evaluated Protection Capabilities
THREAT
Development & evaluation cost if was rated, e.g., Aesec’s Class A1 GTNP
æSec™
37
Conclusion:Watchmen – Sound the Alarm Subversion threat is serious and growing
– Low cost, low risk to attacker, virtually undetectable– Highly effective, extensible, e.g., “two card loader”
Unconscionable use of overly weak solution– Current practice invites catastrophic mission impacts– Pixie dust of “secure” components gives false security
Verifiable protection technology languishes– Government impedes proven COTS verifiable MLS
• “Competition” from Government in funding experiments• Discrimination in evaluation, e.g., no “certificates”, no RAMP
– Users fail to validate product hypothesis to vendors• Often uninformed/misinformed by security professionals
æSec™
38
Are the System Security
Watchmen Asleep?
Dr. Roger R. [email protected]
ICIW 2008University of Nebraska OmahaApril 24, 2008
