Software Infrastructure for Electronic Commerce

Professor Fred B. SchneiderDept. of Computer Science

Cornell University

2

Networked Computing Systems

Provide opportunities …– Increase speed/bandwidth of interaction.– New modes for interaction for customers.– New services.

Introduce risks ...– System development cost and timing.– Dependence on hardware/software.

3

This week: CS lectures

Learn vocabulary and basic concepts for e-commerce relevant concepts and technologies.

Build intuitions for using concepts and for evaluating relevant technologies.

Where are the opportunities today? Tomorrow?

Acquire technology skepticism.Where are the risks today? Tomorrow?

4

You are

– business-oriented person with strong interest in roles of computer and communications technology,

– user of computer applications (e.g. word, excel) but don’t know how to program,

– casual “surfer” of the internet (web) for information and/or purchases,

– and have not taken CS513, CS514, CS432, or CS632.

Intended Audience

5

Lecturer Backgrounds

We are

– academic computer scientists who teach, research, and write,

– with industrial experience: Consulting to management.

Running “start-ups” (2 on-going; 1 sold).

CEO, CTO, chief scientist, tech advisory boards, etc.

6

Lecturers

Fred B. Schneider (Computer security) fbs@cs.cornell.edu 4115C Upson Hall 255-9221

Ken Birman (Networks/Reliability) ken@cs.cornell.edu 4119B Upson Hall 255-9199

Johannes Gehrke (Databases/data mining)

johannes@cs.cornell.edu 4108 Upson Hall 255-1045

Trustworthy Networked Information Systems

All about the non-technical context for this technical subject.

8

Networked Information Systems

Networked Information System (NIS) integrates– computers,– communications, and– people (as users and as operators).

Distinguishing characteristics:– Many interfaces to other systems.– Commercial off-the-shelf (COTS) hardware +

software.– Extensible system components.

9

A Trustworthy NIS

Works correctly, despite– environmental disruption,– human user and operator errors,– hostile attacks, and– design and implementation errors.

Holistic and multidimensional problem:– Property of system, not just components.– Involves many interacting sub-properties.

10

NIS software characteristics

Substantial legacy content.– Documentation missing or incomplete.– Difficult to modify or port.

Grows by accretion and agglomeration.– No master plan or architect.

… Nobody understands how/why the system works. Uses commercial off the shelf (COTS)

components and COTS middleware: Reduces costs and risks. Increases labor pool. Facilitates interoperability. Limited internals visibility / capacity for change. Dependence on 3rd party.

11

Some relevant business trends

Organizations driven to operate faster / more efficiently (e.g. JIT production and services).

Climate of deregulation (e.g. power, telecom) promotes cost control and product enhancements.

Rise of electronic commerce.

12

NIS as a response

NIS affects costs and products: Enables outsourcing of suppliers. (b2b) Enables diminishing capacity cushion.

Control is more difficult --- need automated support. Control is more necessary --- don’t have spare capacity. But cascading failures more likely.

Enables product enhancements, but complexity is increased so result is flaws and surprising behavior.

13

Two Case Studies

Public switched telephone network (PTN)

Internet

14

Changes in the PTN

Old model: Few telephone companies; regulated monopoly.

– Limited cost pressure.– Comparatively few services

New model: Many telephone companies; freely compete.

– Intense cost pressure stress facilities.– Many services, for marketing and

interworking.

15

Redundancy in the PTN

Laying cable involves high cost per mile.– Carry more calls per cable; cut costs.– Fewer cables: less backup; more circuits

interrupted by each incident.

So, companies lease circuits from each other.

– Less aggregate spare capacity than appears at first glance.

Central offices are expensive -- land, auxiliary equipment, etc.So, fewer CO’s; each one is larger.

16

New Services in the PTN

New services introduced for differential advantage…… but now more complexity in the network.

Must interoperate with other telco’s.– Check databases; hand off calls to proper

carrier, etc. Again, more complexity.

Newer equipment (cross-connects, muxes) are software-controlled.– Requires authorization.

17

Many Telephone Companies

Past: Switches and protocols were designed under assuming few trustworthy telcos.

No firewalls exist for “SS7”.

Today: Anyone can be a phone company, inexperience matters even more than malice.

18

State of the Internet

The Internet has always had many ISPs.

No one has a complete view of network state.

Engineering is hard; problems tend to occur at the seams.

Cluelessness abounds.

19

Routing Issues

Tension responsiveness versus instability during changes.

– Configuration errors increase “flapping” rate.

Routing protocols are insecure.– Errors have already disrupted routing.

– Attacker could reroute traffic deliberately.

Need QoS-sensitive routing mechanisms.

20

General Internet Security

Pretty bad… Some problems due to lack of

cryptography.– IP spoofing, password “sniffing”, etc.– IPSEC deployment should help this.

Most problems due to buggy code.– Cryptography won’t help this at all.– Reported bugs are in cryptographic modules.

21

Everything is Interconnected

Phone and power companies use Internet technology.

Their operational systems are linked to their corporate systems, which are linked to the Internet.

And the Internet requires power, and is largely built on top of PTN circuits.

22

What about Internet Telephony?

Many PTN-specific vulnerabilities (links, databases, etc.) will remain.

New reliance on IP routing, rather than PTN routing. New database needed, to map phone numbers to IP addresses.

Harder to move control functions out-of-band on the Internet.

23

What if NIS is not trustworthy ... Information disclosure (stored or transmitted)

– personal embarrassment– compromise of corporate strategy– compromise of national security

Information alteration– affect government or corporate operations

New forms of warfare– disable capacity without physical destruction.– attack without physical penetration by attacker.– “time bomb” and undetectable attacks.

24

Why isn’t NIS trustworthy? Cost!

COTS is cheaper than custom– Time-to-market determines market share.

– COTS producers believe: Customers prefer features to trustworthiness. Adding trustworthiness increases time-to-market.

Must use existing communications fabrics.– Few can shoulder the burden of laying cable.– Existing services (PSTN, Internet) not well

suited for NIS trustworthiness.

25

Costs / Trustworthiness could change

Moore’s Law:– Semiconductor density doubles every 18-24

months.

COTS predominance implies trustworthiness investments can be highly leveraged.

Communications fabrics likely to undergo radical changes in coming years:– growth in cable, satellite, cellular.– new pricing for new services.

26

Why invest in trustworthiness?

To manage risk! – Need: probabilities and costs of breaches.

… Security risks more difficult to identify and quantify than those that arise for reliability.

– Clear trend: migration from risk avoidance to risk management?

To create new market opportunities:– Fed Exp, Banking, e-commerce b2b/b2p

27

Won’t market solve this problem?

No. Few customers understand:

What trustworthiness buys. What is risked by its absence.

(Reliability is an exception: strong market here.) Consumers seem to prefer functionality!

Producers/consumers cannot assess: Trustworthiness of products. Costs of having trustworthiness in products. Costs of not having trustworthiness in

products.

28

Conveying product trustworthiness

No solution in sight or expected... Identifying metrics for reliability is realistic. Identifying metrics for security is misguided. What about standards/criteria/specifications?

• Process (e.g. SEI CMM, ISO 9000).

• Artifact (Good Housekeeping seal, Consumer Union, …).

– Cannot keep pace with evolving threats.

– Cannot keep pace with product development cycle.

– Evaluated products not good enough… Glue is important.

29

Functionality versus Assurance

What does the rating convey?

Functionality: What it does.

Assurance: Confidence that that is what it does.

Functionality

Assurance

Danger

Conservative

30

Cryptography: Political and Technical

Most security problems due to buggy code.

Inhibitory factors to deployment:– Government regulations (but they are changing!).– Reduced convenience and usability.– Sacrifice interoperability (e.g. email).– Increased computation/communication

requirements.– Lack of existing infrastructure.– Patent restrictions (notable expirations in Fall ‘00).

31

For Further Reading

Read Executive summary Chapters 1 and 6

of: Trust in Cyberspace, National Academy Press,

(1999). It can be found at: http://www.nap.edu/readingroom/books/trust