Transcript NSF keynote

Some Thoughts on Network
and Computer Security in
an Academic Environment
Bill Cheswick
Lumeta Corp.
[email protected]
http://www.cheswick.com/
Cybersecurity Summit 2004
1 of 111
Goals
• Some thoughts that might be relevant
• How do you secure things when you
absolutely have to. (Intellink)
• Some (best?) practices I’ve seen or tried
• Suggest some research projects and
directions that might help in the longer run
• Perhaps some keynote thoughts relevant for
the panels
Cybersecurity Summit 2004
2 of 111
This is possibly the hardest
problem in computer security
• Academic environment means free and open
access
• Security generally engineers lack the clout
to enforce security policies
• Clients access the major resources from
client hosts around the world
• Some assembly required
Cybersecurity Summit 2004
3 of 111
What does it mean
to win?
Threat models
72 slides
Cybersecurity Summit 2004
4 of 112
What does it mean to win?
• Keeping the hacker out of critical systems?
– What are your critical systems, anyway?
• Catching him/them?
• Nobody notices that everything is working?
• No mention on the front pages of major
newspapers?
• No angry probing calls from your funding
agency?
Cybersecurity Summit 2004
5 of 111
Threat models at supercomputer
centers
• Embarrass system administrators
• Establish base for attacking other sites?
• Maximize downtime
• Attacks on science: corruption of data or
programs
– Scientists used to share ideas, now they
share programs
– The dirty word nebula in the Virgo cluster
• Attack by a patient Luddite
Cybersecurity Summit 2004
6 of 111
Case studies
• Me
– Limited user base
– Highly compliant users
– Low admin/machine ratio
• Intellink
Cybersecurity Summit 2004
7 of 111
This talk is mostly about *nix
systems, except as noted
• Most big iron runs some *nix OS, proprietary
or not
• Microsoft has their own problems…
Cybersecurity Summit 2004
8 of 111
Microsoft’s Augean Stables:
a task for Hercules
• 3000 oxen, 30 years, that’s roughly one
oxen-day per line of code in Windows
• It’s been getting worse since Windows 95
Cybersecurity Summit 2004
9 of 111
Network and Host security
as I see it
Cybersecurity Summit 2004
10 of 111
Traditional view of host software
Kernel
User programs
Cybersecurity Summit 2004
11 of 111
This traditional view of host
software is wrong
Kernel
User programs
Cybersecurity Summit 2004
12 of 111
User-level programs use the kernel
to interface with the outside world
User programs
Kernel
Cybersecurity Summit 2004
13 of 111
Example: SYN packet attacks
Attacking packets are never
seen at user level….
User
programs
Kernel
Cybersecurity Summit 2004
14 of 111
Example: SYN packet attacks
Attacking packets are never
seen at user level….
…although user mode enables
the kernel listener.
Cybersecurity Summit 2004
User
programs
Kernel
15 of 111
Direct attacks on the kernel are
fairly rare
TCP/ User
IP programs
Kernel
Cybersecurity Summit 2004
16 of 111
Direct attacks on the kernel are
fairly rare
• Though the software is
complex and hard to
test, it’s hard to do
more than break the
kernel
• Used mostly for DOS
TCP/ User
IP programs
attacks
Kernel
• Ping ‘o death
• Random IP options
game (crashme)
Cybersecurity Summit 2004
17 of 111
Some ways to
break into a host:
1) subvert a privileged network
daemon
72 slides
Cybersecurity Summit 2004
18 of 112
Subvert a privileged network
daemon
TCP/
IP
Network
daemon
User
programs
Kernel
Cybersecurity Summit 2004
19 of 111
Rate a computer’s
network security?
netstat –an | wc -l
72 slides
Cybersecurity Summit 2004
20 of 112
Windows ME
Active Connections - Win ME
Proto
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
127.0.0.1:1032
223.223.223.10:139
0.0.0.0:1025
0.0.0.0:1026
0.0.0.0:31337
0.0.0.0:162
223.223.223.10:137
223.223.223.10:138
Foreign Address
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
Cybersecurity Summit 2004
State
LISTENING
LISTENING
21 of 111
Windows 2000
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
0.0.0.0:135
0.0.0.0:445
0.0.0.0:1029
0.0.0.0:1036
0.0.0.0:1078
0.0.0.0:1080
0.0.0.0:1086
0.0.0.0:6515
127.0.0.1:139
0.0.0.0:445
0.0.0.0:1038
0.0.0.0:6514
0.0.0.0:6515
127.0.0.1:1108
223.223.223.96:500
223.223.223.96:4500
Foreign Address
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
Cybersecurity Summit 2004
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
22 of 111
Windows XP: this laptop, preSP2
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
ches-pc:epmap
ches-pc:microsoft-ds
ches-pc:1025
ches-pc:1036
ches-pc:3115
ches-pc:3118
ches-pc:3470
ches-pc:3477
ches-pc:5000
ches-pc:6515
ches-pc:netbios-ssn
ches-pc:3001
ches-pc:3002
ches-pc:3003
ches-pc:5180
ches-pc:microsoft-ds
ches-pc:isakmp
ches-pc:1027
ches-pc:3008
ches-pc:3473
ches-pc:6514
ches-pc:6515
ches-pc:netbios-ns
ches-pc:netbios-dgm
ches-pc:1900
ches-pc:ntp
ches-pc:1900
ches-pc:3471
Foreign Address
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
Cybersecurity Summit 2004
23 of 111
Cybersecurity Summit 2004
24 of 111
It is easy to dump on
Microsoft, but many others
have made the same
mistakes before
Cybersecurity Summit 2004
25 of 111
Default services
SGI workstation: mid 1990s
ftp
stream tcp
telnet stream tcp
shell
stream tcp
login
stream tcp
exec
stream tcp
finger stream tcp
bootp
dgram
udp
tftp
dgram
udp
ntalk
dgram
udp
tcpmux stream tcp
echo
stream tcp
discard stream tcp
chargen stream tcp
daytime stream tcp
time
stream tcp
echo
dgram
udp
discard dgram
udp
chargen dgram
udp
daytime dgram
udp
time
dgram
udp
sgi-dgl stream tcp
uucp
stream tcp
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
wait
wait
nowait
nowait
root
/v/gate/ftpd
root
/usr/etc/telnetd
root
/usr/etc/rshd
root
/usr/etc/rlogind
root
/usr/etc/rexecd
guest
/usr/etc/fingerd
root
/usr/etc/bootp
guest
/usr/etc/tftpd
root
/usr/etc/talkd
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root/rcv dgld
root
/usr/lib/uucp/uucpd
Cybersecurity Summit 2004
26 of 111
More default services
mountd/1
stream rpc/tcp wait/lc
mountd/1
dgram
rpc/udp wait/lc
sgi_mountd/1 stream rpc/tcp wait/lc
sgi_mountd/1 dgram rpc/udp wait/lc
rstatd/1-3 dgram
rpc/udp wait
walld/1
dgram
rpc/udp wait
rusersd/1
dgram
rpc/udp wait
rquotad/1
dgram
rpc/udp wait
sprayd/1
dgram
rpc/udp wait
bootparam/1 dgram
rpc/udp wait
sgi_videod/1 stream rpc/tcp wait
sgi_fam/1
stream rpc/tcp wait
sgi_snoopd/1 stream rpc/tcp wait
sgi_pcsd/1 dgram
rpc/udp wait
sgi_pod/1
stream rpc/tcp wait
tcpmux/sgi_scanner stream tcp nowait
tcpmux/sgi_printer stream tcp nowait
webproxy
stream tcp
nowait
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Cybersecurity Summit 2004
rpc.mountd
rpc.mountd
rpc.mountd
rpc.mountd
rpc.rstatd
rpc.rwalld
rpc.rusersd
rpc.rquotad
rpc.sprayd
rpc.bootparamd
?videod
?fam
?rpc.snoopd
?cvpcsd
?podd
?scan/net/scannerd
?print/printerd
/usr/local/etc/webserv
27 of 111
FreeBSD partition, this laptop
(getting out of the game)
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
tcp4
0
0 *.22
tcp6
0
0 *.22
Cybersecurity Summit 2004
28 of 111
“Best block is not be there”
- Mr. Miyagi (Pat Morita)
Karate Kid
Cybersecurity Summit 2004
29 of 111
Secure network services for *nix
• Postfix
• Openssh
– But if the call comes…
Cybersecurity Summit 2004
30 of 111
Properties of these services
• The authors cared very much about security
from the first moment of design
• The code has a low rate of “improvements,”
which gives the code a chance to stabilize
• The security record for these is excellent,
though not perfect
• Careful efforts by a few have benefited us all
Cybersecurity Summit 2004
31 of 111
Some popular network services I
don’t like
• NFS
– Not Unix file system semantics
– RPC implementation is complicated and
dangerous
• Still sniffable
– POP3
– SNMP
– Instant messaging
Cybersecurity Summit 2004
32 of 111
Research/project/funding
suggestion
• Rewrite or audit the software we rely on the
most
– This has been done to some extent…see
below
– Libc, ASN.1 compiler, C compiler, kernel
calls (“Setuid demystified”)
• Perhaps Knuth would write a new inetd…
Cybersecurity Summit 2004
33 of 111
The Pretty Good
Wall of China
Cybersecurity Summit 2004
34 of 111
Perimeter defenses don’t work…
• If the perimeter is too big, or
• If you have to let the barbarians in
Cybersecurity Summit 2004
35 of 111
Cybersecurity Summit 2004
36 of 111
Some ways to break
into a host:
2) subvert a user account and break into
root or admin using setuid programs
72 slides
Cybersecurity Summit 2004
37 of 112
Subvert a user account and
break into root or admin
TCP/
IP
User
Setuid
program
Kernel
Cybersecurity Summit 2004
38 of 111
“Unix is an administrative
nightmare.”
-- Dennis Ritchie
Cybersecurity Summit 2004
39 of 111
“GUIs are not the answer to
Unix’s administrative
nightmare.”
-- me
Cybersecurity Summit 2004
40 of 111
Rate a Unix systems
host security?
find / -perm -4000 -user root -print |
wc -l
72 slides
Cybersecurity Summit 2004
41 of 112
/bin/rcp
44
/sbin/ping
/sbin/ping6
/sbin/shutdown
/usr/X11R6/bin/Xwrapper
/usr/X11R6/bin/xterm
/usr/X11R6/bin/Xwrapper-4
/usr/bin/keyinfo
/usr/bin/keyinit
/usr/bin/lock
/usr/bin/crontab
/usr/bin/opieinfo
/usr/bin/opiepasswd
/usr/bin/rlogin
/usr/bin/quota
/usr/bin/rsh
/usr/bin/su
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/chpass
/usr/bin/login
/usr/bin/passwd
/usr/bin/at
/usr/bin/ypchsh
/usr/bin/ypchfn
/usr/bin/ypchpass
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/yppasswd
/usr/bin/batch
/usr/bin/atrm
/usr/bin/atq
/usr/local/bin/screen
/usr/local/bin/sudo
/usr/local/bin/lppasswd
/usr/sbin/mrinfo
/usr/sbin/mtrace
/usr/sbin/ppp
/usr/sbin/pppd
/usr/sbin/sliplogin
/usr/sbin/timedc
/usr/sbin/traceroute
/usr/sbin/traceroute6
Cybersecurity Summit 2004
42 of 111
Remove the ones I
never use
You should never be vulnerable to the weaknesses
of a feature you do not use.
-- Microsoft security goal
72 slides
Cybersecurity Summit 2004
43 of 112
/bin/rcp
/sbin/ping
/sbin/ping6
/sbin/shutdown
/usr/X11R6/bin/Xwrapper
/usr/X11R6/bin/xterm
/usr/X11R6/bin/Xwrapper-4
/usr/bin/keyinfo
/usr/bin/keyinit
/usr/bin/lock
/usr/bin/crontab
/usr/bin/opieinfo
/usr/bin/opiepasswd
/usr/bin/rlogin
/usr/bin/quota
/usr/bin/rsh
/usr/bin/su
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/chpass
/usr/bin/login
/usr/bin/passwd
/usr/bin/at
/usr/bin/ypchsh
/usr/bin/ypchfn
/usr/bin/ypchpass
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/yppasswd
/usr/bin/batch
/usr/bin/atrm
/usr/bin/atq
/usr/local/bin/screen
/usr/local/bin/sudo
/usr/local/bin/lppasswd
/usr/sbin/mrinfo
/usr/sbin/mtrace
/usr/sbin/ppp
/usr/sbin/pppd
/usr/sbin/sliplogin
/usr/sbin/timedc
/usr/sbin/traceroute
/usr/sbin/traceroute6
Cybersecurity Summit 2004
44 of 111
/sbin/ping
/sbin/ping6
/usr/X11R6/bin/xterm
/usr/X11R6/bin/Xwrapper-4
/usr/bin/crontab
/usr/bin/su
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/login
/usr/bin/passwd
/usr/bin/at
/usr/bin/chsh
/usr/bin/atrm
/usr/bin/atq
/usr/local/bin/sudo
/usr/sbin/traceroute
/usr/sbin/traceroute6
Cybersecurity Summit 2004
45 of 111
Some should not
need root, or
shouldn’t be setuid
Least privilege
72 slides
Cybersecurity Summit 2004
46 of 112
/sbin/ping
/sbin/ping6
/usr/X11R6/bin/xterm
/usr/X11R6/bin/Xwrapper-4
/usr/bin/crontab
/usr/bin/su
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/login
/usr/bin/passwd
/usr/bin/at
/usr/bin/chsh
/usr/bin/atrm
/usr/bin/atq
/usr/local/bin/sudo
/usr/sbin/traceroute
/usr/sbin/traceroute6
Cybersecurity Summit 2004
47 of 111
/usr/X11R6/bin/Xwrapper-4
/usr/bin/su
/usr/bin/passwd
/usr/bin/chsh
/usr/local/bin/sudo
Cybersecurity Summit 2004
48 of 111
Research/project/funding
suggestion
• Re-engineer these programs to lower their
privilege requirements
– (you’ve been complaining about this in
Microsoft software!)
• (and justifiably so)
• Extra funding for reducing the size of the
programs
• Must be done on many *nix distributions, not
just your favorite one
Cybersecurity Summit 2004
49 of 111
Setuid-root
AIX 4.2
&
BSD/OS 3.0
&
FreeBSD 4.3
&
FreeBSD 4.3
&
FreeBSD 4.5
&
HPUX A.09.07
&
Linux (Mandrake 8.1)
&
Linux (Red Hat 2.4.2-2) &
Linux (Red Hat 2.4.7-10)
Linux (Red Hat 5.0)
&
Linux (Red Hat 6.0)
&
Linux 2.0.36
&
Linux 2.2.16-3
&
Linux 7.2
&
NCR Intel 4.0v3.0
&
NetBSD 1.6
&
SGI Irix 5.3
&
SGI Irix 5.3
&
Sinux 5.42c1002
&
Sun Solaris 5.4
&
Sun Solaris 5.6
&
Sun Solaris 5.8
&
Sun Solaris 5.8
&
Tru64 4.0r878
&
242
78
42
47
43
227
39
39
59
38
26
47
42
113
35
83
102
60
52
74
70
82
72
& a staggering number \\
\\
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
someone's guard machine\\
2 appear to be third-party\\
see text for closer analysis \\
about half may be special for this host \\
3 appear to be third-party \\
2 third-party programs \\
31
& 2 third-party programs\\
\\
2--4 third-party \\
approved distribution for one university \\
\\
\\
34 may be special to this host \\
\\
\\
\\
2 third-party programs\\
6 third-party programs\\
11 third-party programs\\
6 third-party programs\\
6 third-party programs\\
\\
Cybersecurity Summit 2004
50 of 111
Some ways to
break into a host:
3) Fool a user (system administrator?) into
executing your code while privileged
72 slides
Cybersecurity Summit 2004
51 of 112
Modified versions of ssh client in
user’s /bin directory
• Why was this ever executed. Did the bad
guys change the PATH data
• Stuff like this can be checked regularly with
an updated version of something like COPS.
• User’s are going to get this wrong (i.e. not
notice it), and we are going to have to live
with it
Cybersecurity Summit 2004
52 of 111
If the bad guys get a
user account on
your Unix system,
they can root the
machine.
Game over.
72 slides
Cybersecurity Summit 2004
53 of 112
Network security
Engineering secure systems from insecure
parts?
Some assembly required
72 slides
Cybersecurity Summit 2004
54 of 112
Secure computing requirements
• Secure client
• Secure
communications
• Secure server
User
Client host
(in Molvania)
Cybersecurity Summit 2004
55 of 111
Secure client
• You don’t have that
• You probably can’t have that
• It would be expensive and inconvenient if
you do have it
Cybersecurity Summit 2004
56 of 111
Secure communications
• Got it! We won the crypto wars
• In June 2003, NSA said that a properly
implemented and vetted version of AES is
suitable for Type 1 cryptography!
• Ssh is not perfect, but it is holding up pretty
well
Cybersecurity Summit 2004
57 of 111
Research/project/funding
suggestion
• Formal methods for protocol design and
verification
• This has been on some lists for a long time
• It is hard
Cybersecurity Summit 2004
58 of 111
Secure servers
• That’s your job
• Potentially doable
• You must mistrust all clients, even with
strong authentication!
Cybersecurity Summit 2004
59 of 111
Review of security checkpoints
User
Client host
(in Molvania)
Cybersecurity Summit 2004
60 of 111
Review of security checkpoints
Front end
User
Client host
(in Molvania)
Cybersecurity Summit 2004
61 of 111
Review of security checkpoints
Front end
Big Iron
User
Client host
(in Molvania)
Cybersecurity Summit 2004
62 of 111
Review of security checkpoints
Front end
Big Iron
User
Client host
(in Molvania)
File server/
File backup
Cybersecurity Summit 2004
63 of 111
Review of security checkpoints
Front end
Big Iron
User
Client host
(in Molvania)
Hacker
File server/
File backup
Cybersecurity Summit 2004
64 of 111
Review of security checkpoints
Front end
Big Iron
User
Client host
(in Molvania)
Hacker
File server/
File backup
Cybersecurity Summit 2004
65 of 111
Review of security checkpoints
Front end
Big Iron
User
Client host
(in Molvania)
Hacker
File server/
File backup
Cybersecurity Summit 2004
66 of 111
Review of security checkpoints
Front end
Big Iron
User
Client host
(in Molvania)
Hacker
File server/
File backup
Cybersecurity Summit 2004
67 of 111
It is poor
engineering to rely
on the security
savvy of the user
base
72 slides
Cybersecurity Summit 2004
68 of 112
Cybersecurity Summit 2004
69 of 111
Users are not going to pick
passwords that are resistant to
dictionary attacks. Period.
• Either don’t let them pick passwords
– Inconvenient for the users
– Not a panacea (see below)
• Or don’t give the bad guys a chance to run
dictionary attacks---get out of the game
– That means passwords are validated on
the server, not the client
– Ssh agent keys get this wrong
– Bank ATM cards get this right
Cybersecurity Summit 2004
70 of 111
Don’t let users pick passwords
• Machine can choose them. Then they get
written down and/or forgotten. Not good,
though post-it passwords don’t involve the
usual threat models. Bad idea.
– Password aging is a bad idea. Good
passwords are hard to think up and
remember
• Use multifactor authentication, i.e. hardware
tokens or one-time passwords
Cybersecurity Summit 2004
71 of 111
Hardware tokens
• It would be nice if the
server end is open
source
• The business model
has never been one for
global adoption
• Challenge/response
form factor is the
safest, but not
accepted
Cybersecurity Summit 2004
72 of 111
OTPs are not a cure-all perfect
• I installed these at Bell Labs in the early
1990s
• “We never had an undetected break-in” – me
• “Yes, you did.” – Steve Branigan
Cybersecurity Summit 2004
73 of 111
Review of security checkpoints
Front end
Big Iron
User
Client host
(in Molvania)
Hacker
File server/
File backup
Cybersecurity Summit 2004
74 of 111
Case Study
My little home network
72 slides
Cybersecurity Summit 2004
75 of 112
User base
• Me
• My family
– (family members are like employees, from
a security standpoint)
Cybersecurity Summit 2004
76 of 111
Goals
• Easy experimentation on the Internet
– No firewall for secure clients and servers
• Support for family computing
– Shared file system
– 140GB of family photos
– Digital house support
• Experimentation with strong host security
– Is it too hard to trade off convenience for
security? Skinny-dipping on the Internet
• Protect family databases
Cybersecurity Summit 2004
77 of 111
Threats
• Loss of data
• Loss of Saturdays
• Loss of face
Cybersecurity Summit 2004
78 of 111
Tools
• Very few network services
• Moderately-well understood OS (FreeBSD)
• Unsafe network services in chroot jails
– Belt and suspenders
• End-to-end encryption, always
– No kiosks for reading mail…
– WAP and sniffed Ethernets not a problem
• Two factor authentication
Cybersecurity Summit 2004
79 of 111
More tools
• Network and host monitors for alien packets
and changes to important files
• Lots of disk space (>1TB at home)
– Onsite and offsite backups with rsync
over ssh
Cybersecurity Summit 2004
80 of 111
My home network
Family web server
Shared files
User
Client host
(in Molvania)
File backup
Cybersecurity Summit 2004
81 of 111
Access rules
• Ssh only for non-web access
• Other services tunneled through ssh
– With Unix or MSFT client
• Backup hosts unreachable from the outside,
and from the server host
• I win if the backed up machines remain
unhacked, and the file contents remain
intact
Cybersecurity Summit 2004
82 of 111
Results
• Almost ten-year old experiment
– No viruses, no break-ins
– Was a mail relay for a few weeks
• Working quite well
• Daughter away at school has to follow same
rules for home access
– My email service for her was substandard
• Still need a good POP3S service for me Treo
• Cooperative user population makes all the
difference
Cybersecurity Summit 2004
83 of 111
Case Study
Intellink
72 slides
Cybersecurity Summit 2004
84 of 112
Caveat
• I have no current clearance
• I have received no briefings on Intellink
Cybersecurity Summit 2004
85 of 111
Intellink
• Described in James Banford’s Body of
Secrets
• Imagine a distribution system for top secret
information using search engines and
Internet technology
• Given the known security “successes” of
the Internet, how the hell would you
implement such a thing with a reasonable
expectation of security?!!
Cybersecurity Summit 2004
86 of 111
Some of my list
• Sealed client hardware
– Client required to access the secrets
– On-board crypto, that zeroizes when the
box is opened, or movement or light is
detected inside the box
– No software updates or changes available
in the field
– Virtual machines for different levels of
classification. Linux implementation?
• Probably external hardware crypto as well
Cybersecurity Summit 2004
87 of 111
Client software
• Pick a browser, and spend a lot of money…
– Ripping out unneeded features
– Vetting the SSL implementation
– Vetting the C compiler and libraries used
Cybersecurity Summit 2004
88 of 111
Server hosts
• Every server is registered
• Only registered servers allowed
• Network is scanned constantly for alien
hosts and servers
Cybersecurity Summit 2004
89 of 111
Very strong user authentication
• Also, PKI and protected databases of who is
authorized for what
– Database is distributed among the
servers, no central repository
• Revocation lists, tight policies with
employment office to kill dead accounts
Cybersecurity Summit 2004
90 of 111
Access only from within the
intranet
• Perimeter security, tightly patrolled
• Firewalls (“guards”) to other networks,
intensely engineered and constantly
watched
• Intranet is wired with packet sniffers, IDS,
etc.
– Every anomaly is chased down
– There is enough funding to do that
• If a virus appears, there is enough
instrumentation to find out where it came
from, and how far it got
Cybersecurity Summit 2004
91 of 111
Policy support
• A big mallet to use on non-compliant users
– Spooks are generally little better than
normal users
• Mallet (which exists, for classified data)
includes:
– Official reprimand
– Disconnection from the network
– Dismissal
– Criminal charges
• Accountability story at the NSA web site
Cybersecurity Summit 2004
92 of 111
I’ve talked to some spooks
• Obviously, this is an incomplete list
• Not all safeguards are implemented as well
as I might hope
• These guesses, and others, are pretty close
to the mark
– They’ve spent hundreds of thousands of
dollars vetting software….Hmmm
Cybersecurity Summit 2004
93 of 111
Linux SE
• Mods came from the NSA
• Quickly implemented in public Linux
systems
• This is a nice model, could we have more,
please?
Cybersecurity Summit 2004
94 of 111
Research/project/funding
suggestion
• See if some of the vetted software can be
declassified and distributed
• Win-win funding situation for the public and
the spooks
• Open source means you can trust the NSA!
Cybersecurity Summit 2004
95 of 111
How I Would Fix
This*
* Given some money and a lot of
clout
72 slides
Cybersecurity Summit 2004
96 of 112
Secure servers and big iron, and
• Only allow connections from special client
hardware
• Yes, I know this is probably not going to fly,
but it is the only solution that would greatly
improve the situation
Cybersecurity Summit 2004
97 of 111
A custom client computer is
required
• Turnkey system
• No shell prompts, no root access, no
network services
• USB key fob with PIN to login
– Requires reinsertion now and then if
terminal is idle
• Tamper-resistant key/chip zeroizes if case is
opened
– Contact || light || motion detected
Cybersecurity Summit 2004
98 of 111
More on the client
• It only accesses the remote supercomputer
cluster
• All access is over the network, and
encrypted…ssh is good enough
• Can read data off a CDROM. Data only, no
programs or patches installable
• This is a pain, and a little expensive: they
won’t like this
Cybersecurity Summit 2004
99 of 111
The network
• Has end-to-end encryption. Ssh with public
key, plus some sort of authentication when
first logging on that requires the fob.
Cybersecurity Summit 2004
100 of 111
The server
• Since keeping users out of root is hard, each
user gets his own virtual machine on the
server
• He can run batch or interactive stuff.
• The server may be a front end to clusters or
other hardware
Cybersecurity Summit 2004
101 of 111
Other mitigations
• Static kernel defeats loadable hacking
modules
– You do recompile your kernel from
sources anyway, don’t you?
• B1 systems
– A further major administrative nightmare
– But it could help a lot
Cybersecurity Summit 2004
102 of 111
Research/project/funding
suggestion
• How can we chroot user-level programs?
• I don’t trust my browser, and would like to
jail it
• Chroot doesn’t hack it
• There have been a number of papers on the
topic, back over 10 years
• None are widely implements
• Browser plus jailing config file
Cybersecurity Summit 2004
103 of 111
Summary: we ought to win
these battles
• We control the playing field
• DOS is the worse they can do, in theory
• We can replicate our successes
• We can converge on a secure-enough
environment
Cybersecurity Summit 2004
104 of 111
Some successes
• Linux SE
– Helpful feedback from NSA
– I’d like to see a lot more of this
• Programs written by security fanatics
– Postfix (mail transport)
– Openssh (secure terminal sessions and
file transport)
Cybersecurity Summit 2004
105 of 111
A few projects
• Secure Debian
• OpenBSD and others
• NSF Cyber Trust looks promising
• Variety of other research operating systems
Cybersecurity Summit 2004
106 of 111
This is openssh
• One of the successes of the last decade
• Not quite perfect, but much better than the
alternatives
– No excuse to run telnet or ftp (except
anonymous) any more
• Yes, you can afford the overhead for crypto,
even when moving terabytes
– Thanks to Moore’s law, you are unlikely to
notice it
Cybersecurity Summit 2004
107 of 111
Software scales
• Linus can write a kernel
• Don Knuth can write a kernel
• Profit is not necessarily an obstacle to
engineering the software we need
• LinuxSE
Cybersecurity Summit 2004
108 of 111
Executive Summary - I
• Internet security is still quite hard, and we
are not very good at it
• Internet security is hardest when we are
supporting a large number of users
– If we can’t control their security, they
become the source of attacks
• Security is hardest in an open environment
• We don’t have hard answers, just mitigations
• Attacks like these will happen again
Cybersecurity Summit 2004
109 of 111
Executive Summary - II
• We’ve actually gotten noticeably better at
Internet security in the past decade
– Strong encryption is easy and can be
ubiquitous
– Robust clients are increasingly possible
– Much server software is stronger now
– Microsoft is trying to clean up their act
• None of this is easy to explain to nontechnical funders who read about it on the
front page of the newspaper
Cybersecurity Summit 2004
110 of 111
Conclusion
The problem of secure computing in
an open environment with many
users is unsolved, and it appears to
be quite hard. The best we can
hope for is gradual mitigation,
converging on a safer world.
72 slides
Cybersecurity Summit 2004
111 of 112
You will not see the
end of this process,
nor are you allowed
to desist from it
72 slides
Cybersecurity Summit 2004
112 of 112