390 likes | 404 Views
Explore the challenges and alternatives in computer security architecture, focusing on functionality without compromising safety. Learn about the evolving malware threat and the need for innovative solutions. Start securing your digital assets today!
E N D
2500 bc Architecture Choices for Security - 2007 Is Functionality with Security an option? Kenneth Hamer-Hodges http://www.SIPantic.net/SIPantic 1000 ad
Agenda • The Problems with Security Practice Today • The Unacceptable Choice • An Alternative Architecture • Implementing Need to Know • Demonstrations • How to Dine with the Devil • No choice between safety or functionality • Some Thoughts on the Future • How soon can we start? Inviting “Satan to Dinner”
Computer Security is Broken Not Just ... • XP, Vista, Mac, SELinux, RedHat…. • Access Control List Architectures • Consider • Web Browsers, Compound Documents • Each plug-in needs specific authorities • But NOT authority outside its contained areas • None need the authority • To launch Trojan horses • Read and sell confidential data • A Dark Side is also at work Dark Side
Ambient Authority Problem • http://news.com.com/Expert+IT+industry+has+failed+in+desktop+security/2100-1002_3-6185295.html • ACL Grants Authority • Desktop programs can do everything a User can do • Even bad things • Some Data Points • Monthly security patches • By design Browsers run unknown code • Millions of lines of OS code • Thousand of OS defects • 2/3rds of PCs infected in some way • http://www.mg.co.za/articlePage.aspx?articleid=299541&area=/insight/insight_tech/
Computer Security 1965 - 2007 • History from Multics to Unix, to Windows to Mac OS … • No graded security • Still ‘privileged modes’ • Once ‘Hacked’ everything is threatened • Everything depends upon • Firewalls and Anti-Virus • Access Control Lists • Pop-up requests • Certificates • Expected to protect but actually enabling threats The Evolving Malware Threat: Guarding Against Criminal Malware Roger A. Grimes, InfoWorld security columnist/Microsoft Sr. Computer Consultant - June 26, 2007
Firewalls and Anti-Virus • Perimeter security systems • May be applied to one or more computers • Cannot discriminate internal trust • Between applications • Once Infections breach the wall • All the assets within are damaged goods • Only block expected attacks • No “Zero-Day” security • Detection rate ~80%
Access Control Lists • Identity Based Access Control • The abstraction of ID Cards • Limitations • No Trust Discrimination by domain • Hard to Change & Role Explosion • Open to embedded viruses • Why not? • Run application in private space • Polaris demonstration (Later) • Far too complex for typical users Security Assertion Markup Language (SAML) At the heart of most SAML assertions is a subject (a principal – an entity that can be authenticated – within the context of a particular security domain) about which something is being asserted.
Stop and give me your valuables Give up and Punt Security Let the User take the Hit Antithesis of Usability Abdication of security responsibility Uniformed choice Just Say No - or Sooner or Later you get infected The Pop Up
Authenticates the authors A false sense of security Even Satan can sign Embed a Virus in a DLL Proof it came from Satan is not proof that it is safe Exploit bugs in Certified code Load a poorly written but signed driver then exploit it! The result is the same Regardless of who, how & why? Certificates Should you run downloaded software .. A digital signature identifies the publisher of the software and verifies that the software has not been tampered with since it was signed. [BUT WITH OR] Without a valid digital signature, you have no way to verify that the software is what it claims to be.
Links Subverting Vista Kernel For Fun And Profit, J Rutkowska, Black Hat USA 2006 Hardware Virtualization Based rootkits, Dino Dai Zovi, Black Hat USA 2006 Blue Pill Detection, Edgar Barbosa, SyScan 2007 Compatibility is Not Transparency: VMM Detection Myths and Realities, Tal Garfinkel et al., HotOS 2007 Blue Pill Detection In Two Easy Steps, Keith Adams IsGameOver.ppt Rutkowska & Tereshkin, Black Hat USA 2007 Blue Pill (Joanna Rutkowska)
The Result Some Very Powerful Programs • Any program (including all of these) can • Watch what I do • Access or delete my files and • Search/use my email
Either Functionality Run as Administrator Exposure all the time Depend upon Firewall & AV Open items at your risk PC grinds to a Halt Or Security Multiple Login and Passwords Dysfunctional Browsing Deny Pop-Ups Ignore Certificates Work still Grinds to a Halt The Unacceptable Choice!
Site Password Tool • You have accounts at many sites • One password for all sites or different for each? • Site Password • A different password for each site • A hard password in the first field • An easy name for the site • The tool computes a complex password for that site • Thanks to Alan Karp et al at HP Labs • Technical Report • Python version • Windows executable • The source for the Windows
Check Point Summary • Well behaved programs are “Tooth Fairies” • They don't exist • Few need authority to • Access all files • Install Trojan horses and • Should never be given such authority • Allows only the authorities needed • Write access to one or a few needed files • Render impotent Trojan horse or Virus
POLA The Need to Know Rule • Principle Of Least Privilege/Authority • Depend Upon Capabilities • The un-forgeable, transferable right to communicate with an object • No Privileged Modes • Modularity is uniformly clear and enforced • Dynamic Messaging with Run-time Guards • Deadlock Avoidance since binding can be cut by the system
MAC and JSM • Mandatory Access Control • Oblivious Compliance • A right cannot be transferred if the transfer violates some external policy • Centralized Policy Control • 20th century “imperial ACL-think” • Java Security Manager • Closest to being useful • Some powerful authorities selectively managed • Can place modules inside trust realms • With a few lines of code • Control the browser's user interface • Spoof the user (again and again)
A Change In Thinking Stop asking “Who are you?” Session based by Login rights Start asking “Is this authorized?” Action related to Interface (Facets) Build Trust Relationships Capabilities are Interfaces Protected by Contracts A facet can access a subset of the authorities of a powerful object Base Policy controls only on Needs Get more Functionality with better Security http://wiki.squeak.org/squeak/3770
Plessey System 250 C1972 Capability Security • Defense-in-depth • Locks and Keys in the abstract • Natural and intuitive for POLA • Works in Networks for Distributed Systems • Proven commercially [Plessey Multiprocessor] • With the single act of Designation • A mouse Click or Pass by Reference • Convey the (needed) object(s) • Grant the limited (necessary) authority • Revocation is in Real Time • By changing the lock, cutting the link • Revokers only hold power to revoke an authority
Capability PP-250 & E • E Lang - Networked Capability to <Counter ++1> • captp://*4wv2qgnc6yjnl54wccr2qbmjse6po25o@192.168.2.34:2188/2xaukqqehpuktvjmhaox22rfgfyqwgys
Further Research Links • Early Publications • Jack B. Dennis, Earl C. Van Horn, Programming Semantics For Multiprogrammed Computations (1966) • Hamer-Hodges, "A Fault-Tolerant Multiprocessor Design for Real-time Control" Computer Design, Dec. 1973, pp. 75-81. • Easy to Find Links • Stiegler, “E in a Walnut,” http://www.skyhunter.com/marcs/ewalnut.html • Mark Miller, Chip Morningstar, Bill Frantz, “Capability-based Financial Instruments,” Proceedings of Financial Cryptography 2000,http://www.erights.org/elib/capability/ode/index.html • Jonathan Rees, "A Security Kernel Based on the Lambda-Calculus", (MIT, Cambridge, MA, 1996) MIT AI Memo No. 1564. http://mumble.net/jar/pubs/secureos/. • J. S. Shapiro, S. Weber; “Verifying the EROS Confinement Mechanism,” Proceedings of the 2000 IEEE Symposium on Security and Privacy. http://www.eros-os.org/papers/oakland2000.ps
IBAC relates to roles Users subscribe to services Needs to know all users and what each can do Must be updated every time a user changes Scalability is a problem Too Many clients Password Problems! Client changes become Server problems! ABAC relates to contracts Service sells capabilities As access to a contract Clients manage them Distribute by roles A set of capabilities for each contract Includes a way to revoke No Password needed! Client Changes are correctly the Client problem! Functionality from Security! Authorization-Based Access Control for the Services Oriented Architecture Alan H. Karp, HP Laboratories Palo Alto
CapBox Demos • Polaris • Give each program only the permissions it needs • Polaris changes the way programs are launched • Invite Satan to dinner • E Language • A quick peek at distributed objects • CapDesk, PowerBox and the Darpa Browser • Capability based DeskTop Application Launching • Rendering is capability confined • Including the field to display the URL
Polaris - Beta 1.0 • Principle of Least Authority for Real Internet Security • Polaris – HP Labs • Alan Karp et al • Protects from viruses • From opening email attachments • Macro viruses contained in files you use • Trial Programs you launch • Scripts on web pages you visit • Email images you view http://web.hpl.hp.com/personal/akarp
Polaris Confinement • By adhering to POLA • Polaris reduces vulnerability • Any Application can be • Polarized as a Pet • Each Pet starts with • An almost empty • Desktop • My Documents • A Set Up endowment • The File that was clicked • A virus in this program • Is Confined • Can do limited damage • A program launch - Run-As “POLAxxxyyyzzz” • With minimum authorities • Only those needed to run
Satan’s Excel Macro Demo • Run powercmd if not already running • OpenSafe or Double click on files with xls and • This keeps a copy (for POLAexcel) and the original synchronized • Powercmd then starts Excel running as if it were launched by the user polass7sAaJDp708 • To read their libraries, fonts, etc. • Pet accounts have an installation endowment • The permissions they get every time they start • The endowment includes permission to READ • c:\Program Files and c:\Windows directories • Read and WRITE permission to the PET folders • Malicious code even from Satan himself can only • Read the files in its installation endowment • Read names of directory and files (XP feature) • Write to the files opened with the Pet
Outlook PolarisLaunch button Also on each email For the type of attachment Polaris will use that Pet or Launch in an IceBox Typically a browser no address bar to exploit Not all work this way Otherwise Save to disk, open from there First Virus scan the file Note Won't protect against Zero-Day or unrecognized virus POLA IE, Email and Outlook
Polaris Summary • More functionality • Safely ignore macros • More Useable • Not bothered with security dialog boxes • More security • Viruses do not hurt • All because • POLA for individual applications Pets • Pets have limited rights • Only edit the file clicked • Runs on XP • Does not depend upon Capabilities • Satan’s Macro • Enabled but confined • The PC does not get infected
Support capability security Local and distributed contexts Open source system E programming language Robust Operational software has been deployed DarpaBrowser project Still a work in progress Not yet feature complete E Programming Platform http://www.erights.org/ When programming in E, you are automatically working in a capability secure environment. All references are secure references. All powers are accessible only through capabilities. Making an E program secure is largely a matter of thinking about the architecture before you code, and doing a security audit after you code.
E and CapDesk • Capability secure distributed file management • Fine-grain grants of authority • Easy file service configuration • Ad-hoc virtual private networking • Minimal-Authority application-launching environment • Integration of usability, security, and functionality • Invulnerability to over-the-network attack • Point-and-click • Capability-confined launch • Applications/Web Browser • Negotiates endowments • Authority granted on launch • Prevent window forgery
Capability-based security Encrypted Communication Deadlock avoidance Promise pipelines Alice pays Bob $10 Only a currency mint can violate that currency The mint can only inflate its own currency No one can affect a purse balance they don't own Two purses of a currency can transfer money Balances are always non-negative Rely on reported deposits if one trusts the purse Rights Amplification E Language Demo E-on-Java Download Page - licensed under Mozilla or Mozilla compatible open source license. E on Common Lisp - Kevin Reid's implementation of E on Common Lisp.
Distributed Capability Demo • Distributed Counter Access • VatB • Bob • VatA • Alice & Carol ?? in new vat VatB ? introducer.onTheAir() ? def uri := <file:counter.cap>.getText() ? def sr := introducer.sturdyFromURI(uri) ? def remote := sr.getRcvr() ? remote.incr() ?? in new vat VatA ? introducer.onTheAir() ? var x := 0 ? def counter { to incr() :any { x += 1 x } } ? counter.incr() ? x ? def sr := makeSturdyRef.temp(counter) ? def uri := introducer.sturdyToURI(sr) ? <file:counter.cap>.setText(uri)
deposit $0 deposit Capability Security Demo • Alice Pays Bob $10.00 buy makePurse mint $10 namesealerunsealer $100 $200 $90 $210
CapBox Architecture • CapDesk/DarpaBrowser • Use Capabilities • A manager on behalf of a confined application • Granting authority • Revocation • Launches an app • Conveys the endowed authorities • Negotiates authorities during execution • For the application • With the user • For revocation
Capability Delegation I say: myLawyer.myDeath(myReadOnlyWill) • Communication only by messages on references • Reference graph == Access graph • Connectivity leads to Security defmakeReadOnlyFile(fullPowerFile) {defreadOnlyFile {to getBytes() { return fullPowerFile.getBytes() } }return readOnlyFile}
The Confused Deputy Solved • Access Secure Abstractions • All Classes are also gatekeepers • Use normal behaviour to control security policy • Further limits actual authority • Leads to POLA by degrees
POLA Rules for Granma • Just say no when an Application • Asks for additional different authorities • Asks to read or edit anything more than a Desktop folder • Asks for edit authority on other stuff • Asks for read authority on odd stuff, with a connection to the Web • If an Application Install.. • Proposes a name or an icon • Give it a new name and new icon and a new folder path • Asks for Web access, beyond 1 or 2 specific sites • Always say No unless it is a trusted Web browser http://www.combex.com/papers/darpa-report/DarpaBrowserFinalReport.doc
What of the Future? • Object Oriented Programs • More implementations that support good software modularity • Principle Of Least Authority (POLA) • PowerBox tools based on “Need to Know” • Capabilities • Languages with embedded guarantees for POLA access to Networked Objects • CapBox Security • Where only “a knowledge of, gives some right of use"
Object Capability Time Line • 196x: • Dennis & Van Horn - MIT - PDP-1 Supervisor, Bob Fabry - Magic Number Machine - U of Chicago, Hamer-Hodges, England et al System 250 - Plessey Corporation, Simula Dahl, Myhrhaug and Nygaard at the Norwegian Computing Center, Oslo • 197x: • Roger Needham, M Wilkes CAP - Cambridge University, Bill Wolf Hydra Carnegie Mellon, Butler Lampson Sturgis – CAL-TSS, RATS & NLTSS - Lawrence Livermore, Actors MIT, PSOS SRI, StarOS Carnegie Mellon, GNOSIS/KeyKOS – Tymshare, System/38 – IBM • 198x: • Smalltalk Alan Kay et al at Xerox PARC, Objective-C Brad Cox and Tom Love at Stepstone, Steve Jobs NeXT machine, Bjarne Stroustrop in his development of C++, Amoeba - Free University Amsterdam, iAPX 432 - Intel • 199x: • EROS and E - Jonathan Ree's thesis on W7, J-Kernel • 200x: • CapDesk, PowerBox, DarpaBrowser, Polaris Object Capabilities
Finally…? From DeskTop to CapBoxFrom Web Explores to CapBrowsers CapDesk will Polarize the DeskTop <- Pola-Vista Google is developing Capability Based Network Browsing Unquestionably more to come on both Object-Capabilities and POLA