200 likes | 299 Views
Cyber Defense Initiative: Research Challenges. Cyber Trust PI Meeting January 2007 Atlanta, GA Cynthia Irvine. Karl Levitt John Mallery Earl Bobert Dick Kain George Cox Tom Knight Peter Neumann Don Simard Bill Worley Rance Delong Ehab Al-Shaer Michael Franz John Mallery
E N D
Cyber Defense Initiative:Research Challenges Cyber Trust PI Meeting January 2007Atlanta, GA Cynthia Irvine
Karl Levitt John Mallery Earl Bobert Dick Kain George Cox Tom Knight Peter Neumann Don Simard Bill Worley Rance Delong Ehab Al-Shaer Michael Franz John Mallery Andre Dehon Cordell Green Bill Young David Mazieres Jon Millen Paul Robertson Paul Karger Ruby Lee Olin Shivers Sean Smith (Data Stores) Cliff Wang Rich Fiertag Adrian Perrig Phil Porras Co-Chairs: Irvine & Saydjari Presentations Research challenge highlights of the workshop talks given here. Thanks to workshop presenters and participants! Many question marks implicit.
Multi-Dimensional Problem • Unprecedented requirements for flexibility • Address entire lifecycle • Developmental Security • Operational Security • Both require support for • Management • Enforcement • Usability
Need Solutions-Based Approach • Lessons of the past have made us fearful • Certain things didn’t work then • Physics is the same, but technology has changed • Will these differences permit us to revisit past solutions with a new twist? • Business models too often focus on near-term • May require ecosystem change • Must encompass existing systems (legacy)
Need Unorthodox Systems-Level Thinking • Problem is highly complex, yet … • Integrated benefit required (not just local maxima) • Optimization of solution to one aspect of problem can degrade the whole resulting in • Duplication • Excessive complexity • Inefficiencies • Contradictions • Need to create engineered building blocks designed to compose and be mutually supportive • Must find ways to achieve synergistic design • In the face of malicious intent • Consider radically different approaches • Example: non-von Neumann machines
Out-of-the Box Thinking Example: Thoughts About Programming • Extreme fault tolerance and high reliability • Eliminate single point failure • Overlapping, distributed, many representations, random, weak interconnects • Fabricate, then program • Parallel execution enabled by transactional execution • Complexity reduction through abstraction • Highly dynamic choices for data structures and algorithms • Specify task to be completed, not how • Specify background checks to keep things running smoothly • Metadata is on all data • Robust recovery from errors
Developmental Security • Attacker in secure system development process • Create process that makes it very hard to succeed • Tools for trustworthy system development • Specification to testing • Need for HW and SW lifecycle integrity • Cradle to grave • Static (initial state), dynamic (continue to measure) • Is formal verification of properties during development and operation possible? • Security as a constructive process • Need tools that yield incremental, composable proofs of correct mapping of specification to implementation • Must demonstrate that prover actually proved what you want • How complicated can system become and still be trustworthy?
Programming Languages • Desired • Inherent support of security objectives • Full set of modern features • Add policy-related (security) properties to language? • Permits late binding of policies • What formal statements are possible? • Language, complier? • What if exceptions are desired? How is a valid exception distinguished from malicious policy violation • Example: exfiltration
Platform • When are HW add-on security units sufficient? • Example: TPM has some unsolved problems • Ensure that measurements are valid and maintainable • How can TPM-like support move as VMs and applications do? • Virtualization of add-on hardware processing with no loss of assurance • Does virtualization result in loss of connection to hardware? • Formal verification of processors • Processors currently too large for current tools • New algorithms and tools needed • Can the platform be introspective and self adaptive? • What sort of verification is available for such a system?
Kernels: What’s “out”, What’s “in” • Out: Evaluated Policy Kernels • Policy baked in - non flexible - bad • Supports lots of security levels - good • Dynamic resource management - good & bad • In: Separation Kernels • Several flavors: MILS, Experimental, Least Privilege, etc. • Static resource allocation - good & bad • Policy determined by user - flexible - good • Must limit security levels - can restrict usefulness - bad • Trends • Increased dynamicity and introspection • Virtualization - Multiple operating systems as guests • Are you virtualized or not? • Challenges • How to make kernels useful and usable? • How to use the right kernel in the right place?
Can Access Control Be More Granular? • Secure distributed authorization enabled • Heterogeneous security policies • Heterogeneous security metadata • Can standards such as SAML help? • Capabilities • Could build into HW architecture • Additional checks required to prevent violation of mandatory policies • IBM System i has tags - attractive • Persistent capabilities made easy • PowerPC (Power5) might offer opportunities for exploration • How is more granular access control managed? • Can we make this easier than in days of yore?
Information Confinement • Stop exfiltration attacks via steganography and covert channels • Preventive techniques • Use potential flow paths, but prevent their exploitation • Active mitigation • Techniques for rapid development of trustworthy applications • Tools for management, development, testing, analysis, updates
Secure Data Stores • Distributed data store with • Availability, confidentiality, integrity guarantees • Multiple data models and transactional paradigm • Where are data stores? • Application driven, infrastructure driven • Complex and dynamic • Device sharing, mobility, opportunistic, many interfaces • Confidentiality, integrity, availability, freshness, accountability, update, retrieval • Hygene: access control, network, device, domain • Cryptography??? What infrastructure??? PKI??? • Human Computer Interfaces and Security • What’s a device?
Operational Security • Adaptive and reconstitutable applications and systems • Is it sufficient to be correct or must behavior be monitored? • Affects how systems and software will be constructed • Intrusion Detection Systems • Integration into new generation of operating systems • When can monitoring be generic? • When must it be OS-specific • Would Hardware-based IDS be more robust? • Where is the line from IDS to system introspection? • What are the models of expected computation: good and bad and inferences • Adaptive monitoring at multiple levels within the system? • How is monitoring subsystem protected? • How to make sense of volumes of monitoring data?
Agility and Flexibility • Applications • Need “Quality of Security Service” • Minimum requirements specified • Is it OK to have more? Or will that degrade the distributed application in a larger context? • Provide context-dependent and user selectable “Dynamic Security Services” • Resource Management System paradigm • Find “best” provider to support application • Determine benefit function • Complex in highly distributed system • Security domains differ and relationships change • How is relationship negotiated? • Simplify security management • Policy specification, checking, verification • Need tools for automated policy management and system configuration
Networking Challenges • New Paradigm: Device Mobility • Mix of fixed and mobile devices • May be application-driven • New Paradigm: Node Relationships • Move from deterministic to probabilistic • Example: Vehicular networks • New Paradigm: Platforms - • Traditional -> mobile devices -> sensor nodes • Blurred distinction between network and host • New adversaries and attacks • Sybil attacks • Worm-hole attacks • New relationship between host & network security? • Protocols must be carefully analyzed and verified
Networking Challenges • Up-to-date information everywhere • Requests and notifications • Distributed Storage • Distributed protection • IDS, malware, identity • Definition of “zones of trust” • Composition problem • Trustworthy device, user authentication • With privacy • What about devices of questionable provenance? • How to qualify downloaded software for access to our data?
Make Systems Security Scientific and Teach its Principles and Practice • How is “security” measured? What is the “risk reduction return on investment”? • Security prevents bad things from happening. • How do you measure what didn’t happen? • Security is enabling technology • With it new technological advances can be confidently adopted • Tendency to not know what is already understood • Results in reinvention, repetition, & waste • Need to be able to synthesize what is known and make the leap to something new • Will it be science or engineering? • For CDI may need both, but result is what is important • Better discipline and education can help.