Are the System Security Watchmen Asleep

1
Are the System Security Watchmen Asleep?
ICIW 2008 University of Nebraska Omaha April 24,
2008
Dr. Roger R. Schell Roger.Schell_at_aesec.com
2
Overview

• Executives often clueless about security
• They rely on professionals to be their watchmen
• Acceptable risk based on gross misperception
• Serious failure by security professionals
• Dont warn of adversaries subversion attack
  tools
• Dont warn that current solutions are highly
  ineffective
• Watchmen responsible for likely disasters
• Blood on the hands of those not sounding alarm
• Time to sound alarm -- need radical change
• Proven verifiable protection is available, but
  languishes

3
Air Gap Between Domains Is Secure But Crippling

Lack of multilevel security (MLS) not only slows
information sharing but often prevents it
altogether -
Congressional Report on 9/11
4
Misguided Management Response

• Accredit deploy low assurance platforms
• SE Linux
• Virtual Machine Monitor, e.g., NetTop
• Trusted Solaris
• DODIIS Trusted Workstation (DTW)
• Guards and filters, e.g., Radiant Mercury, ISSE
• Ignore that low assurance is unevaluatable
• Technology can only assure finding obvious
  flaws
• Attackers rule, disasters are likely
• Exacerbate risks with plans to get well
• Reliance on added on security makes things worse

5
OutlineWatchmen Sound the Alarm

• Subversion threat is serious and growing
• Unconscionable use of overly weak solution
• Verifiable protection technology languishes

6
Cross-Domain Solution (CDS)(Uninformed Executive
Perception)
High Network Domain
Executive Perception of current CDSs Controlled
sharing (Believes CDS prevents high information
from flowing down)
Low Network Domain
7
Challenge is CDS Connectivity(A theorem from
science)
Corporate or Government High Networks Domain
Low Networks or Internet Domain
8
Cyber Warfare Subversion Likely

• Tiger Teams subversion is tool of choice
• http//www.airpower.maxwell.af.mil/airchronicles/a
  ureview/1979/jan-feb/schell.html
• http//www.acsac.org/2002/papers/classic-multics.p
  df
• Adversaries can use 30 years experience
• The threat has only increased with time
• Trojan horses application subversion
• Thousands in products, e.g., viruses and Easter
  Eggs
• Trap doors infrastructure subversion
• Root kits, malware
• Buy IT solution from your mortal enemy?
• Better figure out how, because likely you are
• Software of uncertain pedigree

9
Trojan Horse Attack Malicious code in use of CDS

• Hidden functionality in application CDS
• Adversary usually outsider (stranger to victim)
• Can be surreptitiously distributed
• Application user is unwitting agent
• Requires victim (user) to execute application
• Constrained by system security controls on victim
• Exploitation undetected controlled by remote
  design
• Current networks open vast opportunity
• Testing review to detect is futile and
  delusional
• Little mitigation in applications and most CDS
  systems

10
Trojan Horse AttackCross-Domain Solution (CDS)
High Network Domain
Determined adversary understanding of reality of
current CDSs Trojan horses exfiltrate
data (Substantial high data leakage to low
domain)
Low Network Domain
11
Trap Door Attack Subversion of Infrastructure

• Malicious code in platform
• Software, e.g., operating system, drivers, tools
• Hardware/firmware, e.g., BIOS in PROM
• Artifice can be embedded any time during
  lifecycle
• Adversary chooses time of activation
• Can be remotely activated/deactivated
• Unique key or trigger known only to attacker
• Needs no (even unwitting) victim use or
  cooperation
• Efficacy and Effectiveness Demonstrated
• Exploitable by malicious applications, e.g.,
  Trojans
• Long-term, high potential future benefit to
  adversary
• Testing not at all a practical way to detect

12
Trap Door AttackCross-Domain Solution (CDS)
High Network Domain
Determined adversary understanding of reality of
current CDSs Trap door gives low attacker access
to data (Low has repeated, undetected access to
high information)
Low Network Domain
13
Summary of Subversion Process

• Step 1 infrastructure subversion
• Integral to installed software, e.g. trap door
• Added to software suite during lifecycle, e.g.,
  viruses
• Big attraction easy to avoid being apprehended
• Perpetrator not present at time of attack
• Step 2 execution of artifice software
• Can activate by unique key or trigger
• NPS demo, 12 lines of code (LOC) subverts Linux
  NFS
• Step 3 (optional) two card loader
• Bootstrap small toehold for diverse customized
  attacks
• NPS demo with 6 LOC to subvert XP and then IPSEC
• Step 4 access unauthorized domain data

14
CDS Subversion Vulnerability
Corporate or Government High Networks Domain
Low Networks or Internet Domain
15
OutlineWatchmen Sound the Alarm

• Subversion threat is serious and growing
• Low cost, low risk to attacker, virtually
  undetectable
• Highly effective, extensible, e.g., two card
  loader
• Unconscionable use of overly weak solution
• Verifiable protection technology languishes

16
Weakest Link is Flawed Solutions

• Single flawed interface exposes whole net
• Defense in depth as used is myth ignores
  subversion
• Plethora of band aid solutions, e.g., firewall,
  IDS,
• Low assurance CDSs, e.g., guards invite disaster
• Like WW II crypto use sent thousands to watery
  grave
• Secure application is non-computable
• Determining it is multilevel secure (MLS) is
  impossible
• Common practice and policy cannot change science
• Equivalent to stream of perpetual motion patents

17
Secure Pixie Dust Components

• Vested interest research sand boxes
• Saps funds and attention with little
  accountability
• Implied accreditation shortcut inhibit warnings
• Subsidized contribution drive out system
  solutions
• Hard problems for MLS systems remain
• Encryption opiate of the naive needs trusted
  control
• No security hardware, e.g., TPM, composition
  defined
• Virtualization hardware need high assurance
  monitor
• Separation kernel needs reference monitor
• Security from guard script language is
  non-computable
• CDS can be no better than platform it is on

18
Flaws in System Solutions Missed

• False security from isolated components
• Accreditors cannot responsibly judge flaws
• Lack approved system security evaluation
  criteria
• Unskilled in assessing methods to address
  subversion
• Only a verifiably secure CDS is evaluatable
• On verifiable trusted computing base (TCB)
  platform
• Last coherent codification in TCSEC Class A1
• System security must be designed in, not bolted
  on
• Includes composition of partitions and subsets

19
Impact Indications and Warning

• Vendor downloadable product subverted
• Cracker gained user-level access to modify
  the download file. . . . you pray never happens,
  but it did.
• WordPress, reported on wordpress.org, March 2,
  2007
• Intrusion can replace traditional espionage
• you can exfiltrate massive amounts of
  information electronically from the comfort of
  your own office.
• Joel Brenner, counterintelligence executive in
  CNN.com, October 19, 2007
• SW subversion steals credit/debit card data
• an illicit and unauthorized computer
  program was secretly installed at every one of
  its 300-plus stores.
• Hannaford Bros. Co., reported on eWeek.com,
  March 28, 2008
• Military recognition of subversion
• vulnerabilities are introduced during
  manufacturing that an adversary can then
  exploit.
• Lt. Gen. Robert Elder, USAF, at Cyber Warfare
  Conference, April 2008

20
State of Cyber Warfare Defense
Nearly thirty years ago, Roger Schell accurately
predicted systems not designed for the modern
Internet threats, poorly implemented, forcing the
installation of nearly daily security patches,
and many millions of systems being compromised on
an ongoing basis.  Dave Safford, Manager,
IBM Global Security Analysis Lab http//www.res
earch.ibm.com/gsal/tcpa/why_tcpa.pdf
21
OutlineWatchmen Sound the Alarm

• Subversion threat is serious and growing
• Low cost, low risk to attacker, virtually
  undetectable
• Highly effective, extensible, e.g., two card
  loader
• Unconscionable use of overly weak solution
• Current practice invites catastrophic mission
  impacts
• Pixie dust of secure components gives false
  security
• Verifiable protection technology languishes

22
Sharing Data AcrossDisparate Domains Need MLS

• Isolation obstructs missions
• Tactical situational awareness
• Efficient utilization of resources

High Network Domain
Low Network Domain
23
Share but Resist Subversion
High Network Domain
Impossible to find or Fix
an arms race we cannot win IBM VP at RSA,
Apr 2008
TCB still prevents information from flowing down
Low Network Domain
24
Proven Methods Evaluated and Deployed TCB

• Mature, proven trusted systems technology
• TCSEC/TNI need not be used as organizational
  utterance for policy

Balanced assurance, composable subsets for systems
25
Verifiably Secure Class A1 / EAL7
Common Criteria
TCSEC
NO VULNERABILITIES
A1
EAL7
EAL6
B3
UNKNOWN VULNERABILITIES
B2
EAL5
Beware of No Mans Land
B1
EAL4
C2
EAL3
C1
EAL2
Only Class A1/EAL7 excludes malicious software
26
Proven Solution Security Kernel
The only way we know . . . to build highly
secure software systems of any practical interest
is the kernel approach. -- ARPA Review Group,
1970s (Butler Lampson, Draper Prize recipient)
A computable solution to process simultaneously a
range of sensitive information
27
Illustrative MLS Demonstrations,(at UNO on COTS
GTNP Kernel)

• Multilevel Secure Web Server
• Browse down
• Unhackable web resources
• Multilevel FTP Server
• Covert Communications Proxy

28
Multilevel Web Server Demo
High Network Domain
Low Network Domain
High integrity administration (and Web page
authoring)
29
Illustrative MLS Demonstrations,(at UNO on COTS
GTNP Kernel)

• Multilevel Secure Web Server
• Multilevel FTP Server
• High network users see high low files
• Low network users cannot see high files
• Covert Communications Proxy

30
Multilevel FTP Server Demo
Low Network Domain
High Network Domain
31
Illustrative MLS Demonstrations,(at UNO on COTS
GTNP Kernel)

• Multilevel Secure Web Server
• Multilevel FTP Server
• Covert Communications Proxy
• Low sources put files onto high servers

32
Covert Comms Proxy Demo
Low Network Domain
High Network Domain
File Server
33
MLS Demonstrations Summary (at UNO on COTS GTNP
Kernel)

• Multilevel Secure Web Server
• Browse down
• Unhackable web resources
• Multilevel FTP Server
• High network users see high low files
• Low network users cannot see high files
• Covert Communications Proxy
• Low sources put files onto high servers

34
Previously Delivered MLS Solutions Validated
Verifiable Technology

• BLACKER VPN (NSA product on GTNP)
• HSRP Pentagon MLS gateway (on GTNP)
• CHOTS Guard UK MOD system (on GTNP)
• COTS Trusted Oracle 7 (GTNP design)
• SACLANT client/server (GTNP design)
• AFFPB Crypto-seal guard (POC on GTNP)

35
Examples of More Opportunities to Apply
Verifiable Technology

• MLS Networked Windows (Thin Client)
• MLS network attached storage (NAS)
• Guards and filters
• Real-time exec (e.g., SCADA appliances)
• Verifiably secure MLS Linux, Unix, ix
• Identity mgt (PKI quality attribute)
• MLS handheld network devices (PDA)

36
Cost Benefit of Evaluated Protection
Capabilities
COSTS TO DEVELOP
BENEFIT TO USER
THREAT
C1
TCSEC Rating
Common Criteria Assurance
EAL2
Best Commercial Practice
37
ConclusionWatchmen Sound the Alarm

• Subversion threat is serious and growing
• Low cost, low risk to attacker, virtually
  undetectable
• Highly effective, extensible, e.g., two card
  loader
• Unconscionable use of overly weak solution
• Current practice invites catastrophic mission
  impacts
• Pixie dust of secure components gives false
  security
• Verifiable protection technology languishes
• Government impedes proven COTS verifiable MLS
• Competition from Government in funding
  experiments
• Discrimination in evaluation, e.g., no
  certificates, no RAMP
• Users fail to validate product hypothesis to
  vendors
• Often uninformed/misinformed by security
  professionals

38
Are the System Security Watchmen Asleep?
ICIW 2008 University of Nebraska Omaha April 24,
2008
Dr. Roger R. Schell Roger.Schell_at_aesec.com