nick p security framework discussion 2015

1. The essence of security is that unauthorized behavior won't occur. That implies the system will always be in one of a known set of acceptable states. Security issues happen at levels from hardware to the app itself. One must also factor in risks such as malicious developers, repository control, distribution, initialization, configuration, and maintenance of secure state. You can be the best coder in the world. However, if you get any of the rest wrong the code quality will simply be something the attacker enjoys observing as he toys with his new machine. ;)
2.  
3. Here's an old (start) to trustworthy software I wrote on Schneier's blog that was mainly focused on preventing subversion. I've left out a few steps to simplify this post.
4.  
5. "1. Requirements for a deliverable must be unambiguous and formal.
6. 2. Every high-level design element must correspond to one or more requirements and this should be shown in documentation.
7. 3. The security policy must be unambiguous, compatible with requirements, and be embedded in the design/implementation. Correspondence must be shown.
8. 4. The Low Level implementation modules must correspond with high level design elements, at least one each.
9. 5. The source code must implement the low level design with provably low defect process and avoid risky constructs/libraries.
10. 6. The object code must be shown to correspond to the source code and no security-critical functionality lost during optimizations.
11. (DO-178B Level A requires this & there are tools to help.)
12. 7. At least one trustworthy, independent evaluator must evaluate the claims and sign the source code to detect later modifications by the developers or repository compromise. This should also be done for updates."
13.  
14. This was just the software. The TCB it runs on and all libraries it trusts must be secure. If they aren't, they must be isolated from main application in a way that contains failures. That's hard. The app must be securely configured, sanitize all input, use easily parsed protocols/storage, exist in predefined states, preferrably be written in a safe language, and have fail-safe crash strategy for unforseen errors with logging.
15.  
16. The high assurance security evaluations often required more. They wanted mathematical specification of requirements, security claims and design. The highest assurance systems wanted mathematical proof of security, correctness, and/or general assurance argument. They required loop-free layering (rare today), modularity (in style), strong focus on interfaces (in style), easily analysed implementaiton constructs (uncommon), extensive testing (in style), pen testing by pro attackers (uncommon to rare today), covert storage/timing channel mitigation (almost nonexistant, although attacks exist), repo software (in style for good dev's), physical security of repo+artifacts (uncommon), and independent evaluation of all of this by trusted, qualified 3rd party (almost non-existent).
17.  
18. Note that this was security in the Orange Book days. This was what it took to call a software+system combination secure on what were basically time-sharing machines, dumb terminals, and simplified desktops/networks. Things have gotten more complicated and risky since then, although issues are similar. A few follow...
19.  
20. 1. Hardware
21. a. Attacks on Intel SMM
22. b. Attacks on TXT
23. c. Malware in wild using processor errata (per Kaspersky)
24. d. DNS subverted because software ignored cosmic ray bit flips
25. e. DMA hardware (firewire attack)
26. f. Overprivileged or hard to control hardware (e.g. USB HID)
27. g. Perhipherals' firmware is programmable and easier to attack
28.  
29. 2. Mainstream Operating Systems
30. a. Huge amounts of kernel code. Kernel bugs followed.
31. b. Huge amounts of trusted code that modifies OS state.
32. c. So bloated that ports to embedded devices are bragworthy.
33. d. Quality increased for many over time, but still tons of vulnerabilities.
34. e. Still plenty of issues with interfaces and legacy libraries.
35. f. They almost totally ignore covert channels.
36.  
37. 3. Middleware
38. a. Middleware quality varies considerably.
39. b. Documentation and actual behavior are often inconsistent.
40. c. Many famous middleware are unnecessarily complicated.
41. d. Combining secure code with insecure middleware often= insecure app
42.  
43. 4. Protocols
44. a. Technically a form of middleware, but I give special treatment.
45. b. Most common protocols designed pre-WWW and have inherent problems.
46. c. Many companies ignore superior alternatives to preserve legacy.
47. d. Hardcoded protocols eventually have issues and can't be replaced.
48. e. Complex protocols are hard to implement, yet used anyway.
49. f. Many attempts at secure protocols are subject to fall-back attacks.
50.  
51. 5. Subversion
52. a. Malicious developer allows compromise via clever, small change
53. (See Myer's on NFS subversion; obfuscated C contest; easter eggs)
54. b. App compromised during build process.
55. c. App compromised between user and developers.
56. c1. Binary modified after build.
57. c2. Modified during transmission.
58. c3. Search results lead to backdoored versions.
59. d. App compromised during installation by misconfig or malice.
60. e. TCB compromised, then malware subverts app.
61. f. Interactions of various software used to compromise one of them.
62.  
63. This is not a 100% comprehensive post on the issues. I've left out the most esoteric stuff like EMSEC. However, making a secure application involves ensuring the elimination of vulnerability across the entire lifecycle. It's not as easy as a few code reviews. The more effective assurance arguments require a great deal of specialised expertise, time, and money. There are also many tradeoffs that one must make. The quote below gets to the bottom of why.
64.  
65. "If you look for a one-word synopsis of computer design philosophy, it was and is SHARING. In the security realm, the one word synopsis is SEPARATION: keeping the bad guys away from the good guys stuff. [important part] So today, making a computer secure requires imposing a "separation paradigm" on top of an architecture built to share. That is tough! Even when partly successful, the residual problem is going to be covert channels."
66. -We Need Assurance, Brian Snow, NSA Technical Director
67.  
68. Old guard tried for decades to build secure systems/software. Certain simple, somewhat specialized systems went unbroken and seem secure. Others were just very hard to attack, limited damage and recovered well. Old principles strained due to issues like DMA and inherent difficulty of securing networked/web environment. The end result, which I promote, is that we can use proven methods to increase quality and assurance of software. We can't claim it's bulletproof but can have more confidence in it.
69.  
70. Increasing assurance across the board eliminates the low hanging fruit current malware authors enjoy, stops the majority of attackers, reduces overall losses, and helps to gradually reduce everyone's overall risk over time. Certain companies are taking the lead and producing very robust software: Praxis's Correct by Construction with SPARK; Green Hill's INTEGRITY-178B; Genode Lab's GenodeOS architecture; Dresden's Nizza Architecture & Mikro-SINA VPN; INRIA's CompCert compiler & Ocaml efforts; Microsoft's VerveOS; Secure64's SourceT OS; Sentinel's HYDRA firewall; Chlipala's Ur/Web; Cornell's SWIFT partitioning web apps. I hope more follow with strong, proven methods to increase assurance of systems. Because the other approaches aren't working, have never worked, and will never work.