1 SECURITY: “Back to the Future”: Revisiting Trusted Computer Systems as a Basic Protection...

49
1 SECURITY: SECURITY: Back to the Future”: Back to the Future”: Revisiting Trusted Revisiting Trusted Computer Systems Computer Systems as a Basic Protection as a Basic Protection Requirement Requirement
  • date post

    18-Dec-2015
  • Category

    Documents

  • view

    217
  • download

    0

Transcript of 1 SECURITY: “Back to the Future”: Revisiting Trusted Computer Systems as a Basic Protection...

1

SECURITY:SECURITY:

““Back to the Future”:Back to the Future”: Revisiting Trusted Revisiting Trusted Computer Systems Computer Systems

as a Basic Protection as a Basic Protection RequirementRequirement

2

"For many, the cyber threat is hard to understand;no one has died in a cyberattack, after all, there has never been a smoking ruin for cameras to see,"

"It is the kind of thinking that said we never had a major foreign terrorist attack in the United States, so we never would; al Qaeda has just been a nuisance, so it never will be more than that."

Reported Testimony before House Government Reform Subcommittee, USA/ 8-4-2003Richard A Clarke (former Cybersecurity Advisor to Whitehouse)Report: 8 April 2003, Washington Post at http://www.washingtonpost.com

Richard A Clarke, 8 April 2003

39 April 2003

4

5

5 THEMES:

1.1. computercomputer security needs radical

attention after over 20 years of neglect

6

5 THEMES:

2. computer security technology - understood for over 25 years

BUT associated products limited

move beyond “perimeter” security

7

5 THEMES:

3. response in commodity IT products - almost non-

existent - no market for “trusted” computer systems

8

5 THEMES:

4. CIOs and IT professionals - take lead! - warn senior management of risks and consequences - say “no” to the use of cheap,

commodity products for mission critical system under the threat of legal action to both themselves and their boards

9

5 THEMES:

5. government must step in to cause the industry

- to “lift its game” in this area, as in automobile, pharmaceuticals, food

and like industries, - unless, via education and training,

the market for security can be lifted by normal market forces

in a rapid manner ?

10

Today’sContext.

11

“Sunday” – Channel 9, 6 April 2003.

Menangle Bridge, NSW – CLOSED 27 Mar ’03 WARNED 6 Mar ‘03

NSW Transport Services (Rail)

“…They’re frightened of bringing bad reports to the Government….

….. They’ve been managed for good news..”

12

AUSTRALIAN FINANCIAL REVIEW15 April 2003.

“Judge urges directors to end ‘climate of fear’. “

ASIC Chair, Mr David Knott:ASIC Chair, Mr David Knott: ”Business and its advisors need to demonstrate by their conduct and their actions that the government and corporate regulators have been justified in refraining from more radical surgery.”

HIHRoyal

Commission

13

BUSINESSBUSINESSIMPERATIVESIMPERATIVES

14

IMPERATIVES

• LEGISLATORS

• DIRECTORS

• MANAGERS

• IT PROFESSIONALS

15

IMPERATIVES

IT PROFESSIONALS

• Development

• Deployment

• Operation

• Investigation

• Litigation

Roles&

Obligations}

16

COMPUTERCOMPUTERSECURITYSECURITY

17

18

September 2002Otellini

19

COMPUTERSCOMPUTERS

• The basis for protection on the Internet.• General purpose and embedded

IT’S NOT THE ‘NETIT’S NOT THE ‘NETIT’S THE NODES !IT’S THE NODES !

20

ForresterMarch 2003

““Can Microsoft Can Microsoft Be Secure?” Be Secure?”

• 74% of users don’t trust Microsoft security

• 9 out of 10 users deploy sensitive applications on

Windows, anyway.

21

Brian ValentineSenior Vice-PresidentMicrosoft WindowsDevelopment

“..I’m not proud…We really haven’t doneeverything we could toprotect our customers…. Our products justaren’t engineered for security”

Computerworld (Australia)September 16, 2002.Page 14.

22

VENDOR ESCAPE:

MICROSOFT (Mundie, 8 Oct. 2002, RSA, Paris)MICROSOFT (Mundie, 8 Oct. 2002, RSA, Paris)• Question: 25 years to go “trustworthy” ?• Reply:

• “Customers wouldn’t pay for it until recently.• “Information officers ..only recently begun to

demand security.”• “.. Only in last 10 years that Microsoft has

attempted to play in the security-requiringworlds of banking, payroll and networkedsystems…”

23

“Although each Win32 process has its own private memory space, kernel-mode operating system and device driver code share a single virtual address space…Windows 2000 doesn't provide any protection to private read/write system memory being used by components running in kernel mode. In other words, once in kernel mode, operating system and device driver code has complete access to system space memory and

can bypass Windows 2000 security to access objects."

WINDOWS NT / 2000 / XP EXPERIENCEWINDOWS NT / 2000 / XP EXPERIENCE

Solomon, D and Russinovich, M"Inside Microsoft Windows 2000" - Third EditionMicrosoft Press, Redmond, Washington. USA., 2000

Every IT professional can learn how to

write a driver!

Every user can install a driver!

24

IBM Advertisement, BYTE Magazine : Dec. 1985.

IBM PC Ad – 1981.

ATTITUDEATTITUDEENVIRONMENTENVIRONMENTMARKETMARKET

1980s1980s

25

eWeekApril 18, 2003Securing Windows Server 2003

By  Dennis Fisher

SAN FRANCISCO—The upcoming release of Windows Server 2003 is a watershed event, not only for the Windows group, but also for the security team at Microsoft Corp. Company executives have made it quite clear over the last few months that the next version of the flagship operating system will be a key test for the processes and improvements made as part of the Trustworthy Computing initiative. In fact, Dave Aucsmith, chief technology officer of the Security Business Unit at Microsoft, based in Redmond, Wash., said if the OS is found to be as vulnerable as previous versions of Windows, it will mean that the company's model for improving security "was wrong."

Solution: Look at the base!

26

The riches won't flow until Wi-Fi security reaches industrial grade. Corporations are hankering for the power and flexibility of Wi-Fi networks, but many are postponing rollouts in strategic areas until they're convinced that hackers, spies, and competitors can't intercept wireless data. General Motors Corp. has deployed Wi-Fi in 90 manufacturing plants but is holding off on Wi-Fi at headquarters until next year. Why? Execs worry that until new encryption is in place, guests at a Marriott Hotel (MAR ) across the street could log on to GM's network and make off with vital memos and budgets. Industry analysts say a slew of airtight Wi-Fi security systems will be out next year. But delays or news of security breaches could pummel confidence in the technology.

BW28 April 2003

THE PROBLEM CONTINUES !SECURE FROM THE START ?

27

ADD-INADD-INSECURITYSECURITY

28

“End systems must be able to enforce the separation of information based on confidentiality and integrity requirements to provide system security. Operating system security mechanisms are the foundation for ensuring such separation. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. As a consequence, application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security.”

N NS AA I

& L a b s.

18Dec.2000

UNDENIABLE EXPERT

TESTIMONYIN

LITIGATION !

29

TCPATCPATrusted Computing Platform AllianceTrusted Computing Platform Alliance

• 145 PC & related manufacturers/enterprises at30 Jan 2001

• Main specification - 25 January 2001• “ … a sensible layperson should trust only those

systems that have been publicly examinedby the (cryptographic and security) community…”

• Implied: Current PCs DO NOT MEET THIS need.• For a while - detection vs prevention

UNDENIABLE EXPERT

TESTIMONYIN

LITIGATION !

30

OKENA - CISCO ( April 2003 )

INSIDETHECOMPUTEROS

31

CRYPTO INTEGRATIONCRYPTO INTEGRATION

“.. hardware on which applications run must be secure, as must the operating system and run time environment in between, while offering a reasonable API for application developers…

.. applications cannot be more secure than the kernel functions they call, and the operating system cannot be more secure than the hardware that executes its commands..”

Dyer et al – “Building the IBM 4758 Secure Coprocessor”IEEE Computer, October 2001.

32

33

What’s in a Name?

• The technology formerly known as “Palladium” from 24 January 2003 will be called:

““Next-Generation Secure Next-Generation Secure Computing Base for Windows” Computing Base for Windows”

–NGSCBW ???

Real security architecture or another BIG patch?

34

MS says NGSCBW is…

• Code name for core components of Windows OS that combine hardware and software to ensure:

• System integrity• Personal privacy• Information protection

• Needs the commitment of the entire computer industry (software, hardware, ISPs, etc)

From Presentation “Trustworthy Computing and Palladium” John Manferdelli – General Manager Windows Trusted Platform Technologies. Downloaded from http://www.netproject.com/presentations/ TCPA/john_manferdelli.pdf

35

WEBSERVICES

36

“Building castles on quicksand”

WEB SERVICES SECURITY

AUTH ROLE PRIV POLIC TRUST AUDIT

OPERATING SYSTEM SECURITYMIDDLEWARE SECURITY

HARDWARE SECURITY

37

TODAY

38

Conclusions (1)• The 20 year syndrome in action –

- Intel and Microsoft – better & easier solutions exist!– Selective IT industry amnesia

• Nothing was done before the PC and 1982!

– All useful IT research is on the Web

• Intel, Microsoft & TCPA: Read the Intel manuals !Read the literature !

• Government action IS needed! (Forget “light touch”!)

Multics DEC VAX Intel 286GEMSOS Trusted XENIX

39

Security IS NOT &

NEVER HAS been market led or

vendor drivene.g.

seat belts, fire extinguishers, smoke detectors,

pool fences, etc.

40

Motor Vehicle Standards Act 1989Act No. 65 of 1989 as amendedConsolidated as in force on 20 April 1999(incudes amendments up to Act No. 8 of 1999)Prepared by the Office of Legislative Drafting,Attorney-General’s Department, Canberra

AN EXCELLENT & PROVEN MODEL !INDUSTRY TECHNICAL STANDARDSWITH LEGISLATIVE ENFORCEMENT

41

CONCLUSIONS (2)

• Trusted Systems with Mandatory Securityas enterprise servers

• Moving beyond perimeter security which is

impractical for web-services (CIL parsing?)• Plain English evaluation docs!

• Separate TCP/IP networks for criticalB2B e-commerce

42

HP-UX 11i is Hewlett-Packard’s UNIX®-based operating environment specifically targeted at Internet applications. HP-UX 11i delivers an end-to-end scalable, manageable, and secure infrastructure for developing, deploying, and brokering mission-critical e-services. HP-UX 11.11 has been submitted for evaluation to the Common Criteria evaluation assurance level EAL4, against the functional requirements in the Controlled Access Protection Profile. The target environment is for systems that may execute on a single HP 9000 Server or be connected to other HP 9000 Servers identically configured to form a local distributed system implementing a unified security policy.

HP-UX 11i ( CAPP/EAL4 )HP-UX 11i ( CAPP/EAL4 )

?Solution: HP Virtual Vault !!

43

HP-UX BLS / Virtual VaultHP-UX BLS / Virtual Vault

Virtualvault is built on a security hardened version of the HP-UX operating system

44

IBMAIX Version 4.3.1B1/EST-X Vers 2.0.1

45

Trusted Solaris 8 4/01 … multilevel trusted operating environment Meets and exceeds

• Labeled Security, • Role-based Access Control, and • Controlled Access

protection profiles of the Common Criteria.

Features include: • MAC and DAC - including ACLs; • Least privilege Trusted networking and trusted NFS; • Identification and authentication; • Roles for separating user and administration capabilities; • Rights profiles;• Multilevel windowing environment; • Centralized administration ….; • Auditing actions of users and roles.

46

Windows’2000 ( CAPP/EAL4 )

As for HP-UX 11i “ .. to be used in .. a relatively benign environment…..” “ .. all information on the system .. same level ..” “.. All users authorized for that level of information ..

not all the data…” “ users not expected to be trustworthy..” “ administrators are assumed to be trusted and competent…“ ..all elements of the network operate under the same security rules and constraints and are subsumed under a single management domain…”

Translation: Forget Internet connection!

47

CONCLUSIONS (3)

• For CIO/CSO• Learning to say “NO!”• Growing legal and corporate responsibility

• Start with the simple• PINPad experience!• Learn trusted systems

48

ISRCInformation

SecurityResearch

Centreat

QUT

49

THANK YOU.

20th

ANNIVERSARY