Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security...
-
Upload
george-watson -
Category
Documents
-
view
222 -
download
0
Transcript of Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security...
![Page 1: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/1.jpg)
Partha Dasgupta, Arizona State University
Consumer Identity and Consumer Identity and Consumer Computing SecurityConsumer Computing Security
Rev.2–Feb. 2004
![Page 2: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/2.jpg)
Background
Personal Authentication Stop ID theft
Hardware Based Security Beyond TCG HTM – Hardware Trust Management
Software based security STM – Software Trust Management
![Page 3: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/3.jpg)
If I didn't wake up, I'd still be sleeping.
![Page 4: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/4.jpg)
““Look what a fine mess Look what a fine mess you've gotten us into, Ollie!”you've gotten us into, Ollie!”
![Page 5: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/5.jpg)
Fine Mess?
The Internet for the masses, deployed about 9 years ago Internet security measures phased in over the next 3-4
years: SSL/IPSec firewalls antivirus software. IDS systems Certificates
Yet the e-commerce infrastructure is totally insecure Viruses, Phishing attacks, Scams, Social Engineering
Identity theft and financial embezzlement are increasing at an alarming rate
Pharming attacks, Rootkits more insidious methods coming
![Page 6: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/6.jpg)
The Problem
Private information is easy to compromise Viruses, keyboard sniffers, rootkits Getting common and threats are significant
Financial and business information at risk Money is involved Losses can be large (even if consumers are not held responsible)
Trusted platform designs are immediately needed All known software methods are at risk Rootkits are undetectable
Viruses have “unlimited power” Steal, cheat, fool, spoof, masquerade, change input/output
A nickel ain't worth a dime anymore
![Page 7: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/7.jpg)
Personal Identity Security
Identity A property of humans, devices, entities Authentication: “What you know, what you have and who you are”.
Transactions run on behalf of Alice MUST be initiated by Alice, with the knowledge of Alice.
Identity assurance in the present day is irretrievably broken.
Shared Secrets do not work
The Undeniable Truth:Any “private” information can and will be misused.
![Page 8: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/8.jpg)
System Security
Network Security has been studied in depth and countermeasures deployed effectively
Sniffing TCP-IP stack attacks Firewalls Replay attacks Modification Attacks DoS attacks
DoS vs. other attacks DoS is not in the same class
System Security has taken a back seat Virus detectors Not effective
Nero fiddled while Rome burned
![Page 9: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/9.jpg)
“What is your Threat Model?”
To design effective security procedures we need a good threat model
Threat models formalizes risks Solutions can be tailored to meet risks contained in the threat model Realistic threat models are needed Threat models can be “too strong”
The network security solutions are based on the “Internet Threat Model (ITM)”
Hosts are Secure, and trustable, the network is not.
What is a good threat model for system security?
You should always go to other people's funerals. Otherwise they won't come to yours.
![Page 10: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/10.jpg)
The Thompson Threat Model
Ken Thompson, Turing Award Lecture 1984
Reflections on Trusting Trust
Bottom Line: If you did not write the code, and the
compiler and the assembler you cannot trust a program
Software cannot be trusted.
Ken Thompson: “The moral is obvious. You can't trust code that you did not totally create yourself….
“No amount of source-level verification or scrutiny will protect you from using untrusted code…..
“A well installed microcode bug will be almost impossible to detect….
![Page 11: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/11.jpg)
Viral Threat Model
The Thompson Threat Model (TTM) is “too strong”, Viral Threat Model (VTM)
Network can be trusted; Hosts are not to be trusted. Network security solved all network problem Even without security, networks are remarkably secure
Why? Viruses are pervasive and anti-viral software is myopic and
ineffective. General purpose software has continually shown vulnerabilities.
If all software is subject to viral threat, then the VTM becomes equivalent to TTM.
Modify the threat model to include trusted software
You've got to be very careful if you don't know where you're going, because you might not get there.
![Page 12: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/12.jpg)
Viral Threat Model
Viral Threat Model (VTM) Network can be trusted; Hosts are not to be trusted. Network security solved all network problem Even without security, networks are remarkably secure
Why? Viruses are pervasive and anti-viral software is myopic and
ineffective. General purpose software has continually shown vulnerabilities.
– (Will not get fixed, installed base is large)
If all software is subject to viral threat, then the VTM becomes equivalent to TTM.
Modify the threat model to include trusted software
![Page 13: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/13.jpg)
Modified Viral Threat Model
Some software is assumed to be immune to viral attack
Weaker, ineffective?
Cannot prevent every attack – but
Can we make threats low incidence and tolerable?
Like crime in society? Detection, punishment, effective policies? “Trust but Verify”
Commodity applications have (and will have) vulnerabilities
Commodity Operating Systems have (and will have) vulnerabilities
We made too many wrong mistakes.
![Page 14: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/14.jpg)
Bottom Line
No PKI, no security
Secure processors need a “human in the loop”
Human in the loop means the need for a human to see securely and communicate securely
Secure Display Secure Keyboard (not software controlled)
Programmability may be a curse
![Page 15: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/15.jpg)
Multi Factor Authentication
What you know.
What you have.
Who you are. Password
ID Card
Biometrics
Sniffable, phishable,
leaky
Depends on the card
VERY VULNERABLE – not to be used for ID
at a distanceID theft vulnerability
![Page 16: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/16.jpg)
Multi Factor Authentication
What you know.
What you have.
Who you are. Password
ID Card
Biometrics
Sniffable, phishable,
leaky
Depends on the card
VERY VULNERABLE – not to be used for ID
at a distanceID theft vulnerability
![Page 17: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/17.jpg)
Public Key Infrastructure
Too complicated(for consumers)
Unnecessary Everything works “all right” without PKI No one understands PKI Will my grandma use PKI?
Reality Check – nothing is working “all right” right now!
Public KeyPrivate Key
CertificateCertificate Authority
Keep this secret
![Page 18: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/18.jpg)
Why PKI?
Can shared secret elimination be done? Make all “secret information” public (privacy is a separate issue). Use public keys as ID and challenge response as the authentication
technique Need mobile gadgets that work in e-commerce as well as brick and
mortar locations “Smart Cards” – PKI enabled
Bad news: This approach is vulnerable to the VTM.
DoD Common Access Card A well designed authentication system….. But……
![Page 19: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/19.jpg)
Common Access Card Private Keys are Secure on the card Challenge response ensures non-spoofable identification and
signatures Certificates provide MITM resilience All transactions can be signed by the card
A virus on the host can trick the card into performing signatures and challenge responses without the owner’s permission
PIN Phishing Malicious Log-on Fraudulent Signatures and transactions Possible software download vulnerabilities
![Page 20: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/20.jpg)
Solution?
Human in the Loop Each time a PKI operation is
performed a human has to know what is going on
Need out of band methods for verfication of trasactions
Cell phone calls?
Research Issue 1: How to put the human in charge?
Research Issue 2: How to minimize human interference,
without compromising security?
This is Secure
Yeah, Right
![Page 21: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/21.jpg)
Security Appliance
ComputerApplications
Web BrowserPlug-insViruses
Secure Processor
PKI softwareKeys
CertificatesTrusted keys
NOT secure
Secure – preferably non-programmable
![Page 22: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/22.jpg)
More Secure Devices
Mobile devices Movable devices Wireless enabled Infrastructural
devices Server Security
Products Anti Virus Protection “Secure Downloads”
“Secure”Processor
Bus Access
OS
Check the OS for untrusted
code
Check the Applications for untrusted code
Applications
![Page 23: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/23.jpg)
MVTM Software Approach
How to secure computing systems under the MTVM?
What is the solution under MVTM? Some software has to be declared trusted! Trusted software: Functions as advertised, independently verified,
cannot be “easily” compromised Compromise of trusted software should be detectable Hardware techniques may be used to “check” or “verify” Trust delegation – trusted software can declare other software to the
trusted (trust level would be lower). Leads to hierarchies of trust.
Above solution is a start, we plan to refine it.
![Page 24: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/24.jpg)
Two Approaches
The Software Approach A VMM that is trusted [augment with hardware
checking] The VMM checks on the OS Add vault features to VMM [not advisable, see later] Secure human I/O needed
The hardware approach Have a hardware “OS” in hardware Vault + Checker for software OS [similar to the software above] Works independently from the software (is the “boss”) Has complete access to physical memory (and virtual memory) Secure human I/O needed
Both approaches need “Human in the Loop”
![Page 25: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/25.jpg)
Hierarchical Trust Management
Chain of “Checkers” Levels of Trust
Need not be single chain
![Page 26: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/26.jpg)
Attacking a VMM
Application
OS
VMM
Rootkit the OS
Rootkit the VMM
Install Attack Code
Attacker
VMMs are not impervious, but they may be harder to attack and can be made hardened
![Page 27: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/27.jpg)
Securing the VMM
VMM is small, vulnerability testing can be simpler (hopefully)
Do not include networking support in VMM Do not include security/trust management in VMM
VMM can check OS for rootkits OS can run virus detectors for applications “Signed applications only” for secure systems
Add a special trusted system as a HOS on VMM: Security Manager - SM
SM can check VMM for rootkits [verification] VM can check SM for rootkits [verification]
![Page 28: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/28.jpg)
The Software Trust Manager
SM is a small OS+Application suite that runs in a separate virtual machine
It has at least the following: Network Stack and Termination SSL-IPSec terminations NAT Server, DHCP Key Vault + Signature software Stores hashes of
applications/OS/VMM Stores trusted public keys Secure I/O to human
Functions: Checking Software, Signature
Verification Digital signatures Human in the Loop - policies
![Page 29: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/29.jpg)
Why Humans?
SM needs to “talk” to a human, and know its talking to a humanWHY?
Sign financial transactions Authentication, logging into secure sites Updating keys, certificates Updating hashes, trusted public keys Provide Alerts More?
HOW? Separate hardware channel, separate hardware display/keyboard
No system can be made secure without a secure human interface!
![Page 30: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/30.jpg)
Key things
Security =Private keys + humans + key vaults + hash checks on software
PKI is essential for authentication (shared secrets are a problem).
“Trusted Public Keys” and “Trusted Hashes” need human verification
Any financial transaction signing should use human verification
Bottom Line: Prevent viruses, and yet assume viral attacks will happen and create defenses for that situation
![Page 31: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/31.jpg)
Trusted Hardware TCG/TPM
A good direction Hardware is resilient to tampering, cannot be reprogrammed easily Secure vault for keys/certificates
Vulnerabilities TPM can be “fooled” by viral software TPM is under the control of the OS – can be bypassed
Complex software layers – may have vulnerabilities
If the world were perfect, it wouldn't be.
![Page 32: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/32.jpg)
The HTM Approach
Use a Hardware Module to check the Operating System
HTM must have secure I/O to user
![Page 33: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/33.jpg)
Combined Trust Hierarchy
Hardware Checker
VMM
SM
HOS
Antivirus
Signed apps
app
app
app
![Page 34: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/34.jpg)
Near Term Research Plan
Fast Prototyping: VMM off the shelf with minor modifications SM: Application run on stock OS SM: Add cryptographic protocols and SM: Secure I/O is simulated Hardware checker is an FPGA board VMM OS rootkit detector, with simple hashing scheme
Testing and Verification Insert code into applications and operating systems using “helpers”
to check detection capabilities Attempt to update VMM or SM and/or hardware simulator
I really didn't say everything I said.
![Page 35: Partha Dasgupta, Arizona State University Consumer Identity and Consumer Computing Security Rev.2–Feb. 2004.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf891a28abf838c8a16c/html5/thumbnails/35.jpg)
Conclusions
System Security is the next frontier Cryptography is useless when keys can be stolen Shared secret schemes are bad, public keys can be
ineffective too.
Integrated design needed: Human Verification Some hardware or robust software
+ protocols + protocols + policies