software 1 software and security software 2 why software? why is software as important to security...
TRANSCRIPT
![Page 1: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/1.jpg)
Software 1
Software and Security
![Page 2: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/2.jpg)
Software 2
Why Software? Why is software as important to security
as crypto, access control and protocols? Virtually all of information security is
implemented in software If your software can be attacked, all
other security may be uselesso Crypto, access control or protocols
Software is weak foundation for security!
![Page 3: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/3.jpg)
Software 3
Bad Software Bad software is everywhere! NASA Mars Lander (cost $165 million)
o Crashed into Marso Error in converting English and metric units of
measure Denver airport
o Buggy baggage handling systemo Delayed airport opening by 11 monthso Cost of delay exceeded $1 million/day
MV-22 Ospreyo Advanced military aircrafto Lives have been lost due to faulty software
![Page 4: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/4.jpg)
Software 4
Software Issues
Attackers Actively look for
bugs and flaws Like bad software… …and try to make
it misbehave Attack systems
thru bad software
“Normal” users Find bugs and
flaws by accident Hate bad
software… …but must learn to
live with it Must make bad
software work
![Page 5: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/5.jpg)
Software 5
Complexity “Complexity is the enemy of security”,
Paul Kocher, Cryptography Research, Inc.
Netscape 17,000,000
Space shuttle 10,000,000
Linux 1,500,000
Windows XP 40,000,000
Boeing 777 7,000,000
system Lines of code (LOC)
More LOC means more bugs
![Page 6: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/6.jpg)
Software 6
Software Security Topics Program flaws (unintentional)
o Buffer overflow Malicious software (intentional)
o Viruses, Worms, etc. Reverse engineering “Secure” software development
o Testing Operating systems
o “Trusted” OS?
![Page 7: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/7.jpg)
Software 7
Example
char array[10];for(i = 0; i < 10; ++i)
array[i] = `A`;array[10] = `B`;
This program has a flaw What happens when you run the
program? Maybe something bad… Or maybe nothing bad…
![Page 8: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/8.jpg)
Software 8
Secure Software
In software engineering, try to insure that a program does what is intended
Secure software engineering requires that the software does what is intended…
…and nothing more Absolutely secure software is impossible
o Absolute security is almost never possible!
![Page 9: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/9.jpg)
Software 9
Program Flaws Program flaws are unintentional
o But still create security risks Most common type of flaw is
o Buffer overflow (smashing the stack) Other types do exist
o Race conditions
![Page 10: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/10.jpg)
Software 10
Malicious Software
Malware is not new! Initial virus work in 1980’s Types of malware
o Virus passive propagationo Worm active propagationo Trojan horse unexpected
functionality
![Page 11: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/11.jpg)
Software 11
SQL Slammer
Infected 250,000 systems in 10 minutes!
Code Red took 15 hours to do what Slammer did in 10 minutes
At its peak, Slammer infections doubled every 8.5 seconds
Slammer spread too fast “Burned out” available
bandwidth
![Page 12: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/12.jpg)
Software 12
SQL Slammer
Why was Slammer so successful?o Worm fit in one 376 byte UDP
packeto Firewalls often let small packet thru,
assuming it could do no harm by itselfo Expectation was that much more data
would be required for an attacko Slammer defied assumptions of
“experts”
![Page 13: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/13.jpg)
Software 13
Flash Worm
Possible to do “better” than Slammer? Can entire Internet be infected in < 15
min? Searching for vulnerable IP addresses is
slow part of a worm attack Searching might be bandwidth limited
o Like Slammer A “flash worm” is designed to infect entire
Internet almost instantly
![Page 14: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/14.jpg)
Software 14
Flash Worm Predetermine all vulnerable IP addresses Embed all known vulnerable addresses in
worm Result is a huge worm (perhaps 400KB) Whenever the worm replicates, it splits Virtually no wasted time or bandwidth! May be able to infect Internet in 15 seconds!
Original worm
1st generation
2nd generation
![Page 15: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/15.jpg)
Software 15
Time Bomb In 1986 Donald Gene Burleson told
employer to stop withholding taxes from his paycheck
His company refused He planned to sue his company
o He used company computer to prepare legal docs
o Company found out and fired him Burleson had been working on a malware… After being fired, his software “time bomb”
deleted important company data
![Page 16: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/16.jpg)
Software 16
Time Bomb Company was reluctant to pursue the
case So Burleson sued company for back pay!
o Then company finally sued Burleson In 1988 Burleson fined $11,800
o Took years to prosecuteo Cost thousands of dollars to prosecuteo Resulted in a slap on the wrist
One of the first computer crime cases Many cases since follow a similar pattern
o Companies often reluctant to prosecute
![Page 17: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/17.jpg)
Software 17
SRE Software Reverse Engineering Can be used for
o Remove usage restrictions from software
o Find and exploit flaws in softwareo Cheat at games, etc.
Attacker can do all of this without access to the source code!o May be lots of work, but it can be
done
![Page 18: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/18.jpg)
Software 18
Software Development Not easy to develop secure software Huge amounts of testing required Reliability grows linearly with testing If you want 1,000,000 hours
between failures for your software You must test for (on the order of)
1,000,000 hours!
![Page 19: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/19.jpg)
Software 19
Software Security First to market advantage
o Also known as “network economics”o Security suffers as a resulto Little economic incentive for secure
software! Penetrate and patch
o Fix code as security flaws are foundo Fix can result in worse problemso Mostly done after code delivered
Proper development can reduce flawso But very costly and time-consuming
![Page 20: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/20.jpg)
Software 20
OS Security OSs are large, complex programs
o Many bugs in any such programo We have seen that bugs can be security
threats Here we are concerned with security
provided by OSo Not concerned with threat of bad OS software
Concerned with OS as security enforcer
![Page 21: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/21.jpg)
Software 21
OS Security Challenges Modern OS is multi-user and multi-
tasking OS must deal with
o Memoryo I/O devices (disk, printer, etc.)o Programs, threadso Network issueso Data, etc.
OS must protect processes from other processes and users from other userso Whether accidental or malicious
![Page 22: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/22.jpg)
Software 22
Next Generation Secure Computing Base
NGSCB pronounced “n scub” (the G is silent)
Will be part of Microsoft’s Longhorn OS
TCG (Trusted Computing Group) o Led by Intel, TCG makes special hardware
NGSCB is the part of Windows that will interface with TCG hardware
TCG/NGSCB formerly TCPA/Palladiumo Why the name changes?
![Page 23: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/23.jpg)
Software 23
NGSCB The original motivation for
TCPA/Palladium was digital rights management (DRM)
Today, TCG/NGSCB is promoted as general security-enhancing technologyo DRM just one of many potential applications
Depending on who you ask, TCG/NGSCB iso Trusted computingo Treacherous computing
![Page 24: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/24.jpg)
Software 24
Motivation for TCG/NGSCB Closed systems: Game consoles,
smartcards, etc.o Good at protecting secrets (tamper resistant)o Good at forcing people to payo Limited flexibility
Open systems: PCso Incredible flexibilityo Poor at protecting secretso Very poor at defending their own software
TCG goal is to provide closed system security benefits on an open platform
“A virtual set-top box inside your PC” Rivest
![Page 25: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/25.jpg)
Software 25
TCG/NGSCB
TCG provides tamper-resistant hardwareo Secure place to store cryptographic keyo Key (or other secret) secure even from a
user with full admin privileges! TCG hardware is in addition to ordinary
hardware, not in place of it PC has two OSs usual OS and special
trusted OS to deal with TCG hardware NGSCB is Microsoft’s trusted OS
![Page 26: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/26.jpg)
Software 26
NGSCB Design Goals
Provide high assuranceo High confidence that system behaves
correctlyo Correct behavior even if system is under
attack Provide authenticated operation
o Authenticate “things” (software, devices, etc.) Protection against hardware tampering is
not a design goal of NGSCBo Hardware tampering is the domain of TCG
![Page 27: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/27.jpg)
Software 27
NGSCB Disclaimer Specific details are sketchy Based on available info, Microsoft
has not resolved all of the details What follows: author’s best
guesses This should all become much
clearer in the not-too-distant future
![Page 28: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/28.jpg)
Software 28
NGSCB Architecture
Nexus is the Trusted Computing Base in NGSCB The NCA (Nexus Computing Agents) talk to
Nexus and LHS
Left-hand side (LHS) Right-hand side (RHS)
untrusted
trusted
User space
Kernel
Nexus
NCANCA
Regular OS
Drivers
Application
Application
![Page 29: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/29.jpg)
Software 29
NGSCB NGSCB “feature groups”
1. Strong process isolationo Processes do not interfere with each other
2. Sealed storageo Data protected (tamper resistant hardware)
3. Secure patho Data to and from I/O protected
4. Attestationo “Things” securely authenticated o Allows TCB to be extended via NCAs
1.,2. and 3. aimed at malicious code 4. provides for (secure) extensibility
![Page 30: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/30.jpg)
Software 30
NGSCB Process Isolation Curtained memory Process isolation and the OS
o Protect trusted OS (Nexus) from untrusted OSo Isolate trusted OS from untrusted stuff
Process isolation and NCAs o NCAs isolated from software they do not trust
Trust determined by users, to an extent…o User can disable a trusted NCAo User cannot enable an untrusted NCA
![Page 31: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/31.jpg)
Software 31
NGSCB Sealed Storage Sealed storage contains secret data
o If code X wants access to secret, a hash of X must be verified (integrity check of X)
o Implemented via symmetric key cryptography
Confidentiality of secret is protected since only accessed by trusted software
Integrity of secret is assured since it’s in sealed storage
![Page 32: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/32.jpg)
Software 32
NGSCB Secure Path Secure path for input
o From keyboard to Nexuso From mouse to Nexus
Secure path for outputo From Nexus to the screen
Uses cryptoo Digital signatures
![Page 33: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/33.jpg)
Software 33
NGSCB Attestation (1) Secure authentication of things
o Authenticate devices, services, code, etc.o Separate from user authentication
Public key cryptography usedo Certified key pair requiredo Private key not user-accessibleo Sign and send result to remote system
TCB extended via attestation of NCAso This is a major feature!
![Page 34: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/34.jpg)
Software 34
NGSCB Attestation (2) Public key used for attestation
o However, public key reveals the user identityo Anonymity is lost
Trusted third party (TTP) can be usedo TTP verifies signatureo Then TTP vouches for signature to recipiento Anonymity preserved (except to TTP)
Support for zero knowledge proofso Verify knowledge of a secret without
revealing ito Anonymity “preserved unconditionally”
![Page 35: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/35.jpg)
Software 35
NGSCB Compelling Apps (1)
Type a Word document in Windows Move document to RHS
o Trusted area Read document carefully Digitally sign the document “What you see is what you sign”
o Virtually impossible to assure this on your PC!
![Page 36: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/36.jpg)
Software 36
NGSCB Compelling Apps (2)
Digital Rights Management (DRM) DRM problems solved by NGSCB
o Protect secret sealed storage Impossible without something like NGSCB
o Scraping data secure path Impossible to prevent without something like
NGSCB
o Positively ID users Higher assurance with NGSCB
![Page 37: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/37.jpg)
Software 37
NGSCB According to Microsoft
Everything in regular Windows must still work in LHS (untrusted side) of NGSCB’ed system
User is in charge ofo Which Nexuses will run on systemo Which NCAs will run on systemo Which NCAs allowed to identify system, etc.
No external process can enable Nexus or NCA Nexus does not block, delete or censor any
data (NCA does, but NCAs must be authorized by user)
Nexus is open source
![Page 38: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/38.jpg)
Software 38
NGSCB Critics
There are many critics we consider two
Ross Andersono Perhaps the most influential critico One of the harshest critics
Clark Thomborsono Lesser-known critico Criticism strikes at heart of NGSCB
![Page 39: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/39.jpg)
Software 39
Anderson’s NGSCB Criticism (1)
Digital object controlled by its creator, not user of machine where it resides: Why?o Creator can specify the NCAo If user does not accept NCA, access is deniedo Aside: Such control is good in, say, MLS apps
Spse Microsoft Word encrypts all documents with key only available to Microsoft productso Difficult to stop using Microsoft products!
![Page 40: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/40.jpg)
Software 40
Anderson’s NGSCB Criticism (2)
Files from a compromised machine could be blacklisted to, say, prevent music piracy
Suppose everyone at SJSU uses same copy of Microsoft Wordo If you stop this copy from working on all NGSCB
machines, SJSU users won’t use NGSCBo Instead, make all NGSCB machines refuse to
open documents created with this instance of Word
o SJSU users can’t share docs with any NGSCB user!
![Page 41: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/41.jpg)
Software 41
Anderson’s NGSCB Criticism (3)
Going off the deep end?o “The Soviet Union tried to register and
control all typewriters. NGSCB attempts to register and control all computers.”
o “In 2010 President Clinton may have two red buttons on her desk one that sends missiles to China and another that turns off all of the PCs in China…”
![Page 42: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/42.jpg)
Software 42
Thomborson’s NGSCB Criticism
NGSCB acts like a security guard By passive observation, NGSCB “security guard”
sees sensitive information How can a user know NGSCB is not spying on
them? According to Microsoft
o Nexus software will be publico NCAs can be debugged (required for app
development)o NGSCB is strictly “opt in”
Loophole?o Release version of NCA can’t be debugged and debug
and release versions have different hash values!
![Page 43: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/43.jpg)
Software 43
NGSCB Bottom Line (1) TCG/NGCSB embeds a trusted OS
within an open platform Without something similar, PC may lose
outo Particularly in entertainment-related areaso Copyright holders won’t trust PC
With NGSCB it is often claimed that users will lose control over their PCs
But users must choose to “opt in”o If user does not opt in, what has been lost?
![Page 44: Software 1 Software and Security Software 2 Why Software? Why is software as important to security as crypto, access control and protocols? Virtually](https://reader036.vdocument.in/reader036/viewer/2022062308/56649ee75503460f94bf8c1e/html5/thumbnails/44.jpg)
Software 44
NGSCB Bottom Line (2)
NGSCB is a trusted system Only trusted system can break
securityo By definition, an untrusted system is not
trusted with security critical taskso Also by definition, a trusted system is
trusted with security critical taskso If untrusted system is compromised,
security is not at risko If trusted system is compromised (or
malfunctions), security is at risk