Download Public Presentation - Academic Conferences

æSec™
Are the System Security
Watchmen Asleep?
Dr. Roger R. Schell
[email protected]
ICIW 2008
University of Nebraska Omaha
April 24, 2008
0
Overview
æSec™
 Executives often clueless about security
– They rely on professionals to be their “watchmen”
– “Acceptable risk” based on gross misperception
 Serious failure by security professionals
– Don’t warn of adversaries’ subversion attack tools
– Don’t warn that current solutions are highly ineffective
 “Watchmen” responsible for likely disasters
– “Blood on the hands” of those not sounding alarm
 Time to sound alarm -- need radical change
– Proven verifiable protection is available, but languishes
1
Air Gap Between Domains Is Secure
– But Crippling …
æSec™
OSINT
GWAN
(IWS)
Site
Ops Net
NSANET
(IWS)
JWICS
(IWS)
SIPRNET
READOUT
Multi-Net
(IWS)
JWICS VTC
“Lack of multilevel security (MLS) not only slows information sharing but
often prevents it altogether“
- Congressional Report on 9/11
2
Misguided Management Response
æSec™
 Accredit & deploy low assurance platforms
– SE Linux
– Virtual Machine Monitor, e.g., NetTop
– Trusted Solaris
– DODIIS Trusted Workstation (DTW)
– “Guards” and filters, e.g., Radiant Mercury, ISSE
 Ignore that low assurance is unevaluatable
– Technology can only assure finding “obvious flaws”
– Attackers rule, disasters are likely
 Exacerbate risks with plans to get well
– Reliance on “added on” security makes things worse
3
Outline:
Watchmen – Sound the Alarm
æSec™
 Subversion threat is serious and growing
 Unconscionable use of overly weak solution
 Verifiable protection technology languishes
4
Cross-Domain Solution (CDS)
æ
Sec™
(Uninformed Executive Perception)
High
Network
Domain
Executive
Perception of
current CDSs:
Controlled
sharing
(Believes CDS
prevents high
information from
flowing down)
Cross Domain
Solution (CDS)
Operating
System
Low
Network
Domain
5
Challenge is CDS Connectivity
(A “theorem” from science)
Corporate or Government
High Networks Domain
æSec™
Low Networks or
Internet Domain
Computer Security Intermediate-Value Theorem
(Dr. David Bell, 2006: http://www.acsac.org/2005/papers/Bell.pdf)
Connection of disparate domains is multilevel
6
Cyber Warfare Subversion Likely
æSec™
 Tiger Teams: subversion is tool of choice
–
http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jan-feb/schell.html
–
http://www.acsac.org/2002/papers/classic-multics.pdf
 Adversaries can use 30 + years experience
– The threat has only increased with time
– Trojan horses – application subversion
• Thousands in products, e.g., viruses and “Easter Eggs”
– Trap doors – infrastructure subversion
•
Root kits, malware
 Buy IT solution from your mortal enemy?
– Better figure out how, because likely you are
– Software of uncertain pedigree
7
Trojan Horse Attack:
Malicious code in use of CDS
æSec™
 Hidden functionality in application & CDS
– Adversary usually outsider (stranger to victim)
– Can be surreptitiously distributed
 Application user is unwitting agent
– Requires victim (user) to execute application
– Constrained by system security controls on victim
– Exploitation undetected & controlled by remote design
 Current networks’ open vast opportunity
– Testing & review to detect is futile and delusional
– Little mitigation in applications and most CDS systems
8
Trojan Horse Attack:
Cross-Domain Solution (CDS)
æSec™
High
Network
Domain
Determined
adversary
understanding
of reality of
current CDSs:
Cross Domain
Solution (CDS)
Trojan horses
exfiltrate data
Operating
System
(Substantial high
data leakage to low
domain)
Low
Network
Domain
9
Trap Door Attack:
Subversion of Infrastructure
æSec™
 Malicious code in platform
– Software, e.g., operating system, drivers, tools
– Hardware/firmware, e.g., BIOS in PROM
– Artifice can be embedded any time during lifecycle
– Adversary chooses time of activation
 Can be remotely activated/deactivated
– Unique “key” or trigger known only to attacker
– Needs no (even unwitting) victim use or cooperation
 Efficacy and Effectiveness Demonstrated
– Exploitable by malicious applications, e.g., Trojans
– Long-term, high potential future benefit to adversary
– Testing not at all a practical way to detect
10
Trap Door Attack:
Cross-Domain Solution (CDS)
æSec™
High
Network
Domain
Determined
adversary
understanding
of reality of
current CDSs:
Trap door gives
low attacker
access to data
(Low has repeated,
undetected access to
high information)
Cross Domain
Solution (CDS)
Operating
System
Low
Network
Domain
11
Summary of Subversion Process
æSec™
 Step #1 – infrastructure subversion
– Integral to installed software, e.g. trap door
– Added to software suite during lifecycle, e.g., viruses
– Big attraction: easy to avoid being apprehended
• Perpetrator not present at time of attack
 Step #2 – execution of artifice software
– Can activate by unique “key” or trigger
– NPS demo, 12 lines of code (LOC) subverts Linux NFS
 Step #3 – (optional) “two card loader”
– Bootstrap small toehold for diverse customized attacks
– NPS demo with 6 LOC to subvert XP and then IPSEC
 Step #4 – access unauthorized domain data
12
CDS Subversion Vulnerability
æSec™
Loss of Integrity
Loss of Secrecy
*
Corporate or Government
High Networks Domain
Low Networks or
Internet Domain
Computer Security Intermediate-Value Theorem:
Connection of disparate domains is multilevel
* CDSs not verifiably multilevel secure (MLS)
13
Outline:
Watchmen – Sound the Alarm
æSec™
 Subversion threat is serious and growing
– Low cost, low risk to attacker, virtually undetectable
– Highly effective, extensible, e.g., “two card loader”
 Unconscionable use of overly weak solution
 Verifiable protection technology languishes
14
Weakest Link is Flawed Solutions
æSec™
 Single flawed interface exposes whole net
– “Defense in depth” as used is myth: ignores subversion
– Plethora of “band aid” solutions, e.g., firewall, IDS, …
– Low assurance CDSs, e.g., guards invite disaster
– Like WW II crypto use sent thousands to watery grave
 “Secure application” is non-computable
– Determining it is multilevel secure (MLS) is impossible
– Common practice and policy cannot change science
– Equivalent to stream of “perpetual motion” patents
15
“Secure” Pixie Dust Components
æSec™
 Vested interest research “sand boxes”
– Saps funds and attention with little accountability
– Implied accreditation shortcut inhibit warnings
– Subsidized contribution drive out system solutions
 Hard problems for MLS systems remain
– Encryption “opiate of the naive” needs trusted control
– No security hardware, e.g., TPM, composition defined
– Virtualization hardware need high assurance monitor
– Separation kernel needs reference monitor
– Security from guard script language is non-computable
 CDS can be no better than platform it is on
16
Flaws in System Solutions Missed
æSec™
 False security from isolated components
 Accreditors cannot responsibly judge flaws
– Lack “approved” system security evaluation criteria
– Unskilled in assessing methods to address subversion
 Only a verifiably secure CDS is evaluatable
– On verifiable trusted computing base (TCB) platform
– Last coherent codification in TCSEC “Class A1”
– System security must be designed in, not bolted on
– Includes composition of “partitions” and “subsets”
17
Impact Indications and Warning
æSec™
 Vendor downloadable product subverted
“Cracker gained user-level access to modify the
download file. . . . you pray never happens, but it did.”
– WordPress, reported on wordpress.org, March 2, 2007
 Intrusion can replace traditional espionage
“you can exfiltrate massive amounts of information
electronically from the comfort of your own office.”
– Joel Brenner, counterintelligence executive in CNN.com, October 19, 2007
 SW subversion steals credit/debit card data
“an ‘illicit and unauthorized computer program’ was
secretly installed at every one of its 300-plus stores.”
– Hannaford Bros. Co., reported on eWeek.com, March 28, 2008
 Military recognition of subversion
“vulnerabilities are introduced during manufacturing
that an adversary can then exploit.”
– Lt. Gen. Robert Elder, USAF, at Cyber Warfare Conference, April 2008
18
State of Cyber Warfare Defense
æSec™
“Nearly thirty years ago, Roger Schell accurately predicted: systems not
designed for the modern Internet threats, poorly implemented, forcing
the installation of nearly daily security patches, and many millions of
systems being compromised on an ongoing basis.”
Dave Safford, Manager, IBM Global Security Analysis Lab
http://www.research.ibm.com/gsal/tcpa/why_tcpa.pdf
19
Outline:
Watchmen – Sound the Alarm
æSec™
 Subversion threat is serious and growing
– Low cost, low risk to attacker, virtually undetectable
– Highly effective, extensible, e.g., “two card loader”
 Unconscionable use of overly weak solution
– Current practice invites catastrophic mission impacts
– Pixie dust of “secure” components gives false security
 Verifiable protection technology languishes
20
Sharing Data Across
Disparate Domains Need MLS
High
Network
Domain
Multi-Level
Secure
Connection
Low
Network
Domain
æSec™
 Isolation obstructs missions
– Tactical situational awareness
– Efficient utilization of resources
 Any low connection => MLS
– Must be Multi-Level Secure (MLS)
– Low/Medium assurance ineffective
• No protection against subversion
• Vulnerabilities unknown (unknowable)
 Class A1 resists subversion
– Is verifiably secure (high assurance)
– Verifies absence of malicious code
– Key enabler for CDS accreditation
21
Share but Resist Subversion
Impossible
Adversary
to trap
find
or Fix
plants
door
æSec™
High
Network
Domain
“an
arms race
we cannot win”
or Trojan
horse
– IBM VP at RSA, Apr 2008
Cross Domain
Solution (CDS)
Verifiably Secure
TCB
TCB still
prevents
information
from flowing
down
Low
Network
Domain
22
Proven Methods
Evaluated and Deployed TCB
æSec™
 Mature, proven trusted systems technology
– TCSEC/TNI need not be used as organizational utterance for policy
Balanced assurance, composable subsets for systems
23
Verifiably Secure: Class A1 / EAL7
æSec™
Common
Criteria
TCSEC
EAL7
A1
NO VULNERABILITIES
EAL6
EAL5
B3
B2
B1
C2
UNKNOWN VULNERABILITIES
EAL4
EAL3
EAL2
Beware of “No Man’s Land”
C1
Only Class A1/EAL7 excludes malicious software
24
Proven Solution: Security Kernel
æSec™
“The only way we know . . . to build highly secure software systems
of any practical interest is the kernel approach.”
-- ARPA Review Group, 1970s (Butler Lampson, Draper Prize recipient)
Applications
Appliances
Security
Services
Verifiably
Secure
Platform
Operating
System
Verifiable
Security Kernel
Intel x.86
Hardware Platform
Network
Monitor/
Disk
Keyboard
A computable solution to process simultaneously
a range of sensitive information
25
Illustrative MLS Demonstrations,
(at UNO on COTS GTNP Kernel)
æSec™
 Multilevel Secure Web Server
– Browse down
– Unhackable web resources
 Multilevel FTP Server
 Covert Communications Proxy
26
æSec™
Multilevel Web Server Demo
Browser
Browser
Multilevel Web
Server App
Verifiable TCB
(e.g., Class A1 GTNP)
High
Network
Domain
Low
Network
Domain
High integrity
administration (and
Web page authoring)
27
Illustrative MLS Demonstrations,
(at UNO on COTS GTNP Kernel)
æSec™
 Multilevel Secure Web Server
 Multilevel FTP Server
– High network users see high & low files
– Low network users cannot see high files
 Covert Communications Proxy
28
Multilevel FTP Server Demo
æSec™
Multilevel FTP
Server App
Verifiable TCB
High
Network
Domain
(e.g., Class A1 GTNP)
Low
Network
Domain
29
Illustrative MLS Demonstrations,
(at UNO on COTS GTNP Kernel)
æSec™
 Multilevel Secure Web Server
 Multilevel FTP Server
 Covert Communications Proxy
– Low sources put files onto high servers
30
Covert Comms Proxy Demo
æSec™
MLS Covert
Comms Proxy
Verifiable TCB
High
Network
Domain
(e.g., Class A1 GTNP)
Low
Network
Domain
File
Server
31
MLS Demonstrations Summary
(at UNO on COTS GTNP Kernel)
æSec™
 Multilevel Secure Web Server
– Browse down
– Unhackable web resources
 Multilevel FTP Server
– High network users see high & low files
– Low network users cannot see high files
 Covert Communications Proxy
– Low sources put files onto high servers
32
Previously Delivered MLS Solutions æSec™
Validated Verifiable Technology
 BLACKER – VPN (NSA product on GTNP)
 HSRP – Pentagon MLS gateway (on GTNP)
 CHOTS Guard – UK MOD system (on GTNP)
 COTS Trusted Oracle 7 – (GTNP design)
 SACLANT client/server (GTNP design)
 AFFPB Crypto-seal guard (POC on GTNP)
33
Examples of More Opportunities to æSec™
Apply Verifiable Technology
 MLS Networked Windows (Thin Client)
 MLS network attached storage (NAS)
 Guards and filters
 Real-time exec (e.g., SCADA appliances)
 Verifiably secure MLS Linux, Unix, *ix
 Identity mgt (PKI quality attribute)
 MLS handheld network devices (PDA)
34
Cost & Benefit of Evaluated
Protection Capabilities
æSec™
Development &
evaluation cost if
was rated, e.g.,
Aesec’s Class A1
GTNP
COSTS TO
DEVELOP
BENEFIT
TO USER
Development &
evaluation cost
for new verifiably
secure product
TCSEC
Rating
C1
Common EAL
Criteria
Assurance 2
C2
B1
B2
B3
A1
EAL
3
EAL
4
EAL
5
EAL
6
EAL
7
Best Commercial
Practice
Resistant to
Trojan horses
THREAT
Insurable, No Trap Doors;
Immune to Trojan Horses
35
Conclusion:
Watchmen – Sound the Alarm
æSec™
 Subversion threat is serious and growing
– Low cost, low risk to attacker, virtually undetectable
– Highly effective, extensible, e.g., “two card loader”
 Unconscionable use of overly weak solution
– Current practice invites catastrophic mission impacts
– Pixie dust of “secure” components gives false security
 Verifiable protection technology languishes
– Government impedes proven COTS verifiable MLS
• “Competition” from Government in funding experiments
• Discrimination in evaluation, e.g., no “certificates”, no RAMP
– Users fail to validate product hypothesis to vendors
• Often uninformed/misinformed by security professionals
36
æSec™
Are the System Security
Watchmen Asleep?
Dr. Roger R. Schell
[email protected]
ICIW 2008
University of Nebraska Omaha
April 24, 2008
37