Posts in Reviews
Finally, Somebody “Gets” Secure Web Browsing and Does It The Right Way
I’ve ranted before about how insecure web browsers are, because they trust themselves, their libraries and user-added plug-ins too much. At a very high level, they have responsibilities that can be likened to those of operating systems, because they run potentially dangerous code from different sources (users vs web sites) and need to do it separately from each other and from root (the user account running the browser), i.e., securely. The web browsers of today look as ridiculous to me as the thought of using Windows 95 to run enterprise servers. Run an insecure plugin , get owned (e.g., Quicktime). Enable JavaScript, VBScript, ActiveX, Java, get owned. Get owned because the web browser depends on libraries that have more than 6-month-old vulnerabilities (1-year old depending on how you count), and the whole thing collapses like a house of cards. As long as they are internally so open and naive, web browsers will keep having shameful security records and be unworthy of our trust.
IE 7’s protected mode needs to be acknowledged as a security effort, but CanSecWest proved that it didn’t isolate Flash well enough. It’s not clear if a configuration issue was involved, but I don’t care—most people won’t configure it right either then. IE 7’s protected mode is a collection of good measures, such as applying least privilege and separation of privilege, and intercepting system API calls, but it is difficult to verify and explain how it all fits together, and be sure that there are no gaps. More importantly, it relies heavily on the slippery slope of asking the user to appropriately and correctly grant higher permissions. We know where that leads—most everything gets granted and the security is defeated.
Someone not only thought of a proper security architecture for web browsers but did it (see “Secure web browsing with the OP web browser” by Chris Grier, Shuo Tang, and Samuel T. King). There’s a browser kernel, and everything else is well compartmentalized and isolated. Similarly to the best operating system architectures for security, the kernel is very small (1221 lines of code), has limited functionality, and doesn’t run plug-ins inside kernel space (I’d love to have no drivers in my OS kernel as well...). It’s not clear if it’s a minimal or “true” micro-kernel—the authors steer clear of that discussion. Even malicious hosted ads (e.g., Yahoo! has had repeated experiences with this) are quarantined with a “provider domain policy”. This is an interesting read, and very encouraging. I’d love to play with it, but I can’t find a download.
A Look at MITRE’s OVAL Schemas: A Weak Proof of Compliance
If you are intrigued by OVAL, the Open Vulnerability and Assessment Language, and are considering developing rules in it or just want to understand the technical details of how it works, you will need to look at its schemas. The OVAL Design Document, Version 5.0 states that there are 3 schemas, for “representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment.” However, when looking at the downloads available (here’s version 5.3) you’ll notice that there are 28 pdf documents. Which ones do you need?
The document “Introduction to the OVAL Language, Version 5.0” contains this figure:
Conceptual Breakdown of the OVAL Language
-----------------------------------------
OVAL Definition Schema
|
|--> Core Schema
|
|--> Independent Schema (family_test, variable_test, xmlfilecontent_test, etc.)
|
|--> UNIX Schema (file_test, process_test, uname_test, etc.)
| |
| |--> Solaris Schema
| |--> HP-UX Schema
| |--> MacOS Schema
| |
| |--> Linix Schema (dpkg_test, rpminfo_test, etc.)
| |
| |--> RedHat Schema
| |--> Debian Schema
|
|--> Windows Schema (file_test, wmi_test, etc.)
|
|--> Apache Schema
This isn’t a 1-to-1 match with the pdfs available for download, but presents the idea. One difference is that the downloads are organized by rows for “Core”, others for “Common”. One of the downloads is titled inside as “Core Common”—which row would you guess it’s in? What’s the difference between Core, Common and Independent?
Note that “Core Common” is present in all of the schemas, from “OVAL Definition Schema” to “OVAL Variables Schema” (hmm, that’s a 4th schema!?). So, “Core Common” is what is common to the core of all schemas. The “core” of a schema is therefore composed of the “Core Common” and the part of the “Core” that is specific to that schema. Then, the “Independent” part of the schema describes things that are common to all operating systems, and serves to avoid duplication between the documents specific to OSes. So, the difference between “Independent” and “Core” is that the OS-specific parts of the schema have dependencies on the “Core” but not on the “Independent” part.
To get a complete schema, you assemble it from “Core Common”, the “Core” that is specific to that schema, the “Independent” part of the schema, and then the parts specific to your system. So, if you are interested in Solaris definitions, you would need to download the following parts: “Core Common”, “Core”, “Independent”, UNIX and Solaris.
As a more concrete example, the test to find if Solaris is running in 64-bit mode uses the “isainfo_test”, “isainfo_object”, and “isainfo_state” elements defined in the Solaris part of the definitions schema:
<isainfo_test id="oval:org.mitre.oval:tst:3884" version="1"
comment="system is running in 64-bit mode”
check_existence="at_least_one_exists" check="at least one">
<object object_ref="oval:org.mitre.oval:obj:2704"/>
<state state_ref="oval:org.mitre.oval:ste:3528"/>
</isainfo_test>
uses this object and this state:
<isainfo_object id="oval:org.mitre.oval:obj:2704" version="1"/>
<isainfo_state id="oval:org.mitre.oval:ste:3528" version="1">
<bits>64</bits>
</isainfo_state>
From what I can tell, the OVAL interpreter is required to know that given an “isainfo_object” and an isainfo_state with a bits child, it needs to run “isainfo -b”. Information about a scanned system can be stored in a “isainfo_item” which would also have a “bits” child (defined in the Solaris System Characteristics document).
To check if a service is running you would use the element “process_test” (defined in the UNIX Definition schema, as in:
<process_test id="oval:org.mitre.oval:tst:1334" version="1"
check="at least one” comment="The Xorg X server is running”
check_existence="at_least_one_exists"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
<object object_ref="oval:org.mitre.oval:obj:923"/>
</process_test>
which would do a pattern matching operation to the output of “ps”:
<process_object id="oval:org.mitre.oval:obj:923" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
<command operation="pattern match">.*Xorg\b.*</command>
</process_object>
So again the OVAL interpreter has to know that it needs to run “ps” for this test, and to store the result in a “process_item” element (predictably defined in the Unix System Characteristics schema).
This is nifty but I still feel uncomfortable that all this gathered information is falsifiable in a difficult-to-detect manner. An attacker who compromised the system and wants to evade detection, and therefore might avoid doing suspicious or more difficult things such as replacing a closed-source OVAL interpreter, could write something resembling a rootkit that would fetch up-to-date OVAL definitions and return “correct” answers when the OVAL tool runs. A rogue administrator that just wants to pass some tests while doing other things and operating under configurations that aren’t compliant could write a fake “ps” or “inetd” to pass one or two specific rules; that would be much easier than to mess with the OVAL interpreter itself (in their simplest form the fake programs could simply print a constant string). An attacker could want to indicate that all patches have been applied to avoid the possibility of a patch breaking a “modified” application or closing a backdoor. It could be done by simply modifying or creating the appropriate registry keys.
Regardless of the likelihood of these scenarios, my point is that the evaluation is “subjective” in the sense that it is done by the subject of the evaluation. Anyone wanting to evade compliance (as SCAP and XCCDF currently rely on OVAL, even though they are independent from it in theory) could do so easily, in concept anyway, so the software doesn’t necessarily need to fool the administrator, just the OVAL tool; it doesn’t need to be a full rootkit. OVAL therefore provides a weak proof of compliance. Using external tests whenever possible, conducted from a trusted machine, would be much stronger, but I see no evidence of efforts in that direction. I realize that not all tests can be conducted externally, but emphasizing possible external tests would strengthen OVAL. I have communicated those concerns to MITRE years ago, but it seems that the easy “practical” way is still favored. One could argue that perhaps it’s “good enough”, and provides an opportunity for vendors to deliver value with more robust auditing methods. But if the government is the main market for OVAL products, will it buy those better products or the cheap ones? I understand that the government “needs yesterday” a manageable solution to handle compliance issues. However, I’m afraid that once the weaker standard of proof will be in place, it will be very difficult to upgrade.
The open source Purdue Vulnerability Scanning Cluster based on Nessus is an example of the external approach to the evaluation of compliance (disclosure: I contributed to the design of the VSC). A mixed solution, using external scanning when possible, as well as internal, would be very powerful, especially if discrepancies were flagged.
Computer Security Outlook
Recently, the McAfee Corporation released their latest Virtual Criminology Report. Personnel from CERIAS helped provide some of the research for the report.
The report makes interesting reading, and you might want to download a copy. You will have to register to get a copy, however (that’s McAfee, not CERIAS).
The editors concluded that there are 3 major trends in computer security and computer crime:
- An increasing level and sophistication of nation-state sponsored espionage and (some) sabotage.
- An increasing sophistication in criminal threats to individuals and businesses
- An increasing market for exploits and attack methods
I’ve posted links on my tumble log to a number of recent news articles on computer crime and espionage. It’s clear that there is a lot of misuse occurring, and that we aren’t seeing it all.
[posted with ecto]
Thoughts on Virtualization, Security and Singularity
The “VMM Detection Myths and Realities” paper has been heavily reported and discussed before. It considers whether a theoretical piece of software could detect if it is running inside a Virtual Machine Monitor (VMM). An undetectable VMM would be “transparent”. Many arguments are made against the practicality or the commercial viability of a VMM that could provide performance, stealth and reproducible, consistent timings. The arguments are interesting and reasonably convincing that it is currently infeasible to absolutely guarantee undetectability.
However, I note that the authors are arguing from essentially the same position as atheists arguing that there is no God. They argue that the existence of a fully transparent VMM is unlikely, impractical or would require an absurd amount of resources, both physical and in software development efforts. This is reasonable because the VMM has to fail only once in preventing detection and there are many ways in which it can fail, and preventing each kind of detection is complex. However, this is not an hermetic, formal proof that it is impossible and cannot exist; a new breakthrough technology or an “alien science-fiction” god-like technology might make it possible.
Then the authors argue that with the spread of virtualization, it will become a moot point for malware to try to detect if it is running inside a virtual machine. One might be tempted to remark, doesn’t this argument also work in the other way, making it a moot point for an operating system or a security tool to try to detect if it is running inside a malicious VMM?
McAfee’s “secure virtualization”
The security seminar by George Heron answers some of the questions I was asking at last year’s VMworld conference, and elaborates on what I had in mind then. The idea is to integrate security functions within the virtual machine monitor. Malware nowadays prevents the installation of security tools and interferes with them as much as possible. If malware is successfully confined inside a virtual machine, and the security tools are operating from outside that scope, this could make it impossible for an attacker to disable security tools. I really like that idea.
The security tools could reasonably expect to run directly on the hardware or with an unvirtualized host OS. Because of this, VMM detection isn’t a moot point for the defender. However, the presentation did not discuss whether the McAfee security suite would attempt to detect if the VMM itself had been virtualized by an attacker. Also, would it be possible to detect a “bad” VMM if the McAfee security tools themselves run inside a virtualized environment on top of the “good” VMM? Perhaps it would need more hooks into the VMM to do this. Many, in fact, to attempt to catch any of all the possible ways in which a malicious VMM can fail to hide itself properly. What is the cost of all these detection attempts, which must be executed regularly? Aren’t they prohibitive, therefore making strong malicious VMM detection impractical? In the end, I believe this may be yet another race depending on how much effort each side is willing to put into cloaking and detection. Practical detection is almost as hard as practical hiding, and the detection cost has to be paid everywhere on every machine, all the time.
Which Singularity?
Microsoft’s Singularity project attempts to create an OS and execution environment that is secure by design and simpler. What strikes me is how it resembles the “white list” approach I’ve been talking about. “Singularity” is about constructing secure systems with statements ("manifests") in a provable manner. It states what processes do and what may happen, instead of focusing on what must not happen.
Last year I thought that virtualization and security could provide a revolution; now I think it’s more of the same “keep building defective systems and defend them vigorously”, just somewhat stronger. Even if I find the name somewhat arrogant, “Singularity” suggests a future for security that is more attractive and fundamentally stable than yet another arms race. In the meantime, though, “secure virtualization” should help, and expect lots of marketing about it.
Cyberwar
[tags]cyber warfare, cyber terrorism, cyber crime, Estonia[/tags]
I am frequently asked about the likelihood of cyber war or cyber terrorism. I’m skeptical of either being a stand-alone threat, as neither is likely to serve the goals of those who would actually wage warfare or commit terrorism.
The incidents in Estonia earlier this year were quite newsworthy and brought more people out claiming it was cyber terrorism or cyber warfare. Nonsense! It wasn’t terrorism, because it didn’t terrorize anyone—although it did annoy the heck out of many. And as far as warfare goes, nothing was accomplished politically, and the “other side” was never even formally identified.
Basically, in Estonia there was a massive outbreak of cyber vandalism and cyber crime.
Carolyn Duffy Marsan did a nice piece in Network World on this topic. She interviewed a number of people, and wrote it up clearly. I especially like it because she quoted me correctly! You can check out the article here: How close is World War 3.0? - Network World. I think it represents the situation quite appropriately.
[As a humorous aside, I happened to do a search on the Network World site to see if another interview had appeared without me hearing about it. I found this item that had appeared in December of 2006 and I didn’t know about it until now! Darn, and to think I could have started recruiting minions in January. 
]
Items In the news
[tags]news, cell phones, reports, security vulnerabilities, hacking, computer crime, research priorities, forensics, wiretaps[/tags]
The Greek Cell Phone Incident
A great story involving computers and software, even though the main hack was against cell phones:
IEEE Spectrum: The Athens Affair. From this we can learn all sorts of lessons about how to conduct a forensic investigation, retention of logs, wiretapping of phones, and more.
Now, imagine VoIP and 802.11 networking and vulnerabilities in routers and.... —the possibilities get even more interesting. I suspect that there’s a lot more eavesdropping going on than most of us imagine, and certainly more than we discover.
NRC Report Released
Last week, the National Research Council announced the release of a new report: Towards a Safer and More Secure Cyberspace. The report is notable in a number of ways, and should be read carefully by anyone interested in cyber security. I think the authors did a great job with the material, and they listened to input from many sources.
There are 2 items I specifically wish to note:
- I really dislike the “Cyber Security Bill of Rights” listed in the report. It isn’t that I dislike the goals they represent—those are great. The problem is that I dislike the “bill of rights” notion attached to them. After all, who says they are “rights”? By what provenance are they granted? And to what extremes do we do to enforce them? I believe the goals are sound, and we should definitely work towards them, but let’s not call them “rights.”
- Check out Appendix B. Note all the other studies that have been done in recent years pointing out that we are in for greater and greater problems unless we start making some changes. I’ve been involved with several of those efforts as an author—including the PITAC report, the Infosec Research Council Hard Problems list, and the CRA Grand Challenges. Maybe the fact that I had no hand in authoring this report means it will be taken seriously, unlike all the rest. More to the point, people who put off the pain and expense of trying to fix things because “Nothing really terrible has happened yet” do not understand history, human nature, or the increasing drag on the economy and privacy from current problems. The trends are fairly clear in this report: things are not getting better.
Evolution of Computer Crime
Speaking of my alleged expertise at augury, I noted something in the news recently that confirmed a prediction I made nearly 8 years ago at a couple of invited talks: that online criminals would begin to compete for “turf.” The evolution of online crime is such that the “neighborhood” where criminals operate overlaps with others. If you want the exclusive racket on phishing, DDOS extortion, and other such criminal behavior, you need to eliminate (or absorb) the competition in your neighborhood. But what does that imply when your “turf” is the world-wide Internet?
The next step is seeing some of this spill over into the physical world. Some of the criminal element online is backed up by more traditional organized crime in “meat space.” They will have no compunction about threatening—or disabling—the competition if they locate them in the real world. And they may well do that because they also have developed sources inside law enforcement agencies and they have financial resources at their disposal. I haven’t seen this reported in the news (yet), but I imagine it happening within the next 2-3 years.
Of course, 8 years ago, most of my audiences didn’t believe that we’d see significant crime on the net—they didn’t see the possibility. They were more worried about casual hacking and virus writing. As I said above, however, one only needs to study human nature and history, and the inevitability of some things becomes clear, even if the mechanisms aren’t yet apparent.
The Irony Department
GAO reported a little over a week ago that DHS had over 800 attacks on their computers in two years. I note that the report is of detected attacks. I had one top person in DC (who will remain nameless) refer to DHS as “A train wreck crossed with a nightmare, run by inexperienced political hacks” when referring to things like TSA, the DHS cyber operations, and other notable problems. For years I (and many others) have been telling people in government that they need to set an example for the rest of the country when it comes to cyber security. It seems they’ve been listening, and we’ve been negligent. From now on, we need to stress that they need to set a good example.
[posted with ecto]
End-to-end security
[tags]biometrics,USB,encryption,hacking[/tags]
One of our students who works in biometrics passed along two interesting article links. This article describes how a password-protected, supposedly very secure USB memory stick was almost trivially hacked. This second article by the same author describes how a USB stick protected by a biometric was also trivially hacked. I’m not in a position to recreate the procedure described on those pages, so I can’t say for certain that the reality is as presented. (NB: simply because something is on the WWW doesn’t mean it is true, accurate, or complete. The rumor earlier this week about a delay in the iPhone release is a good example.) However, the details certainly ring true.
We have a lot of people who are “security experts” or who are marketing security-related products who really don’t understand what security is all about. Security is about reducing risk of untoward events in a given system. To make this work, one needs to actually understand all the risks, the likelihood of them occurring, and the resultant losses. Securing one component against obvious attacks is not sufficient. Furthermore, failing to think about relatively trivial physical attacks is a huge loophole—theft, loss or damage of devices is simple, and the skills to disassemble something to get at the components inside is certainly not a restricted “black art.” Consider the rash of losses and thefts of disks (and enclosing laptops) we have seen over the last year or two, with this one being one of the most recent.
Good security takes into account people, events, environment, and the physical world. Poor security is usually easy to circumvent by attacking one of those avenues. Despite publicity to the contrary, not all security problems are caused by weak encryption and buffer overflows!
[posted with ecto]
Stuck in a Rut—Still
[tags]security marketplace, firewalls, IDS, security practices, RSA conference[/tags]
As I’ve written here before, I believe that most of what is being marketed for system security is misguided and less than sufficient. This has been the theme of several of my invited lectures over the last couple of years, too. Unless we come to realize that current “defenses” are really attempts to patch fundamentally faulty designs, we will continue to fail and suffer losses. Unfortunately, the business community is too fixated on the idea that there are quick fixes to really investigate (or support) the kinds of long-term, systemic R&D that is needed to really address the problems.
Thus, I found the RSA conference and exhibition earlier this month to be (again) discouraging this year. The speakers basically kept to a theme that (their) current solutions would work if they were consistently applied. The exhibition had hundreds of companies displaying wares that were often indistinguishable except for the color of their T-shirts—anti-virus, firewalls (wireless or wired), authentication and access control, IDS/IPS, and vulnerability scanning. There were a couple of companies that had software testing tools, but only 3 of those, and none marketing suites of software engineering tools. A few companies had more novel solutions—I was particular impressed by a few that I saw, such as the policy and measurement-based offerings by CoreTrace, ProofSpace, and SignaCert. (In the interest of full disclosure, SignaCert is based around one of my research ideas and I am an advisor to the company.) There were also a few companies with some slick packaging of older ideas (Yoggie being one such example) that still don’t fix underlying problems, but that make it simpler to apply some of the older, known technologies.
I wasn’t the only one who felt that RSA didn’t have much new to offer this year, either.
When there is a vendor-oriented conference that has several companies marketing secure software development suites that other companies are using (not merely programs to find flaws in C and Java code), when there are booths dedicated to secured mini-OS systems for dedicated tasks, and when there are talks scheduled about how to think about limiting functionality of future offerings so as to minimize new threats, then I will have a sense that the market is beginning to move in the direction of maturity. Until then, there are too many companies selling snake oil and talismans—and too many consumers who will continue to buy those solutions because they don’t want to give up their comfortable but dangerous behaviors. And any “security” conference that has Bill Gates as keynote speaker—renowned security expert that he is—should be a clue about what is more important for the conference attendees: real security, or marketing.
Think I am too cynical? Watch the rush into VoIP technologies continue, and a few years from now look at the amount of phishing, fraud, extortion and voice-spam we will have over VoIP, and how the market will support VoIP-enabled versions of some of the same solutions that were in Moscone Center this year. Or count the number of people who will continue to mail around Word documents, despite the growing number of zero-day and unpatched exploits in Word. Or any of several dozen current and predictable dangers that aren’t “glitches”—they are the norm. if you really pay attention to what happens, then maybe you’ll become cynical, too.
If not, there’s always next year’s RSA Conference.
VMworld 2006: Teaching (security) using virtual labs
This talk by Marcus MacNeill (Surgient) discussed the Surgient Virtual Training Lab used by CERT-US to train military personnel in security best practices, etc… I was disappointed because the talk didn’t discuss the challenges of teaching security, and the lessons learned by CERT doing so, but instead focused on how the product could be used in a teaching environment. Not surprisingly, the Surgient product resembles both VMware’s lab manager and ReAssure. However, the Surgient product doesn’t support the sharing of images, and stopping and restarting work, e.g. development work by users (from what I saw—if it does it wasn’t mentioned). They mentioned that they had patented technologies involved, which is disturbing (raise your hand if you like software patents). ReAssure meets (or will soon, thanks to the VIX API) all of the requirements he discussed for teaching, except for student shadowing (seeing what a student is attempting to do). So, I would be very interested in seeing teaching labs using ReAssure as a support infrastructure. There are of course other teaching labs using virtualization that have been developed at other universities and colleges; the challenge is of course to be able to design courses and exercises that are portable and reusable. We can all gain by sharing these, but for that we need a common infrastructure where all these exercises would be valid.
OSCON 2006: Where’s the Security?
OSCON 2006 was a lot of fun for a lot of reasons, and was overall a very positive experience. There were a few things that bugged me, though.
I met a lot of cool people at OSCON. There are too many folks to list here without either getting really boring or forgetting someone, but I was happy to put a lot of faces to names and exchange ideas with some Very Smart People. The PHP Security Hoedown BOF that I moderated was especially good in that respect, I thought. There were also a lot of good sessions, especially Theo Schlossnagle’s Big Bad PostgreSQL: A Case Study, Chris Shiflett’s PHP Security Testing, and the PHP Lightning Talks ("PHP-Nuke is a honeypot” - thank you for the best quote of the convention, Zak Greant).
On the other hand, I was very surprised that the Security track at OSCON was almost nonexistent. There were four sessions and one tutorial, and for a 5-day event with lots of sessions going on at the same time, that seems like a really poor showing. The only other tracks that has security-related sessions were:
- Linux (including one shared with the Security track)
- PHP
which leaves us with the following tracks with no security-oriented sessions:
- Business
- Databases
- Desktop Apps
- Emerging Topics
- Java
- JavaScript/Ajax
- Perl
- Products and Services
- Programming
- Python
- Ruby
- Web Apps
- Windows
I can certainly think of a few pertinent security topics for each of these tracks. I’m not affiliated with O’Reilly, and I have no idea whether the OSCON planners just didn’t get very many security-related proposals, or they felt that attendees wouldn’t be interested in them. Either way, it’s worrisome.
Security is an essential part of any kind of development: as fundamental as interface design or performance. Developers are stewards of the data of their users, and if we don’t take that responsibility seriously, all our sweet gradient backgrounds and performance optimizations are pointless. So to see, for one reason or another, security relegated to steerage at OSCON was disappointing. I hope O’Reilly works hard to correct this next year, and I’m going to encourage other CERIAS folk like Pascal Meunier and Keith Watson to send in proposals for 2007.
