travis+se uritysubspa eeld.org
January26, 2015
Abstra t
Thisisanonlinebookabout omputer,network, te hni al, physi al,
informationand ryptographi se urity. Itis alabor oflove, in omplete
untilthedayIamnished.
Contents
1 Metadata 11
1.1 CopyrightandDistributionControl. . . 12
1.2 Goals . . . 12
1.3 Audien e . . . 12
1.4 AboutThisWork . . . 13
1.5 OntheHTMLVersion . . . 13
1.6 AboutWritingThis . . . 13
1.7 ToolsUsedToCreateThis Book . . . 14
2 Se urity Properties 14 2.1 Information Se urityisaPAIN . . . 15
2.2 ParkerianHexad . . . 15
2.3 PentagonofTrust . . . 16
2.4 Se urityEquivalen y . . . 16
2.5 Other Questions . . . 16
3 Se urity Models 16
4.1 TheClassi ationProblem . . . 17
4.2 Se urityLayers . . . 19
4.3 PrivilegeLevels . . . 20
4.4 WhatisaVulnerability? . . . 21
4.5 VulnerabilityDatabases . . . 21
4.6 A ura yLimitations. . . 23
4.7 Ri e'sTheorem . . . 23
5 E onomi sof Se urity 23 5.1 HowExpensiveareSe urityFailures? . . . 23
5.2 Abuse Dete tionandResponse: ACost-BenetPerspe tive . . . 26
6 Adversary Modeling 27 6.1 CommonPsy hologi alErrors. . . 28
6.2 Cost-Benet . . . 28
6.3 RiskToleran e . . . 28
6.4 Capabilities . . . 29
6.5 Sophisti ation Distribution . . . 29
6.6 Goals . . . 29
7 Threat Modeling 29 7.1 CommonPlatformEnumeration . . . 30
7.2 A TaxonomyofPriva yBrea hes . . . 30
7.3 ThreatstoSe urityProperties . . . 31
7.4 QuantifyingRisk . . . 32
7.5 Atta kSurfa e . . . 32
7.6 Atta kTrees . . . 33
7.7 TheWeakestLink . . . 34
8 Physi al Se urity 34 8.1 NoPhysi alSe urityMeansNoSe urity . . . 35
8.2 DataRemanen e . . . 35
8.3 SmartCardAtta ks . . . 38
9.1 Introdu tion. . . 38
9.2 Prote tion Rings . . . 39
9.3 OperatingModes . . . 39
9.4 NX bit . . . 39
9.5 SupervisorsandHypervisors. . . 40
9.6 TrustedComputing. . . 40
9.7 IntelvPro . . . 41
9.8 HardwareVulnerabilitiesand Exploits . . . 41
10DistributedSystems 41 10.1 NetworkSe urityOverview . . . 41
10.2 NetworkA essControl . . . 42
10.3 NetworkRe onnaissan e . . . 43
10.4 NetworkIntrusionDete tionandPrevention. . . 44
10.5 CryptographyistheSineQuaNonofSe ureDistributedSystems 44 10.6 Hello,MyNameis192.168.1.1 . . . 45
10.7 Sour e Tapping;TheFirstHopandLastMile . . . 45
10.8 Se urityEquivalentThingsGoTogether . . . 46
10.9 ManInTheMiddle. . . 46
10.10NetworkSurveillan e . . . 48
10.11Pushvs. PullUpdates . . . 48
10.12DNSIssues . . . 48
10.13NetworkTopology . . . 48
11Identi ationand Authenti ation 49 11.1 Identity . . . 49
11.2 IdentityManagement. . . 49
11.3 TheIdentityContinuum . . . 50
11.4 ProblemsRemainingAnonymous . . . 51
11.5 ProblemswithIdentifyingPeople . . . 51
11.6 WhatAuthority? . . . 51
11.8 Authenti ationFa tors . . . 52
11.9 Authenti ators . . . 52
11.10Biometri s. . . 56
11.11Authenti ationIssues: When,What . . . 56
11.12RemoteAttestation. . . 57
11.13Advan ed Authenti ationTools . . . 58
12Authorization -A ess Control 58 12.1 PrivilegeEs alation . . . 58
12.2 Physi al A essControl . . . 59
12.3 OperatingSystemA essControl . . . 59
12.4 Appli ationAuthorizationDe isions . . . 60
12.5 IPTables,IPChains,Netlter . . . 65
12.6 PF . . . 65
12.7 Keynote . . . 65
13Se ureSystemAdministration 65 13.1 Ba kups . . . 65
13.2 Monitoring . . . 66
13.3 Visualization . . . 66
13.4 ChangeManagement . . . 66
13.5 Self-HealingSystems . . . 67
13.6 Heterogeneousvs. HomogeneousDefenses . . . 67
14Logging 67 14.1 Syn hronizedTime . . . 67
14.2 Syslog . . . 68
14.3 Cryptographi allyUntamperableLogs . . . 68
15Reporting 68 15.1 ChangeReporting . . . 68
15.2 Arti ialIgnoran e . . . 68
15.3 DeadMan'sSwit h . . . 69
16.1 Physi al IntrusionDete tion. . . 69
16.2 MisuseDete tionvs. AnomalyDete tion . . . 70
16.3 ComputerImmuneSystems . . . 70
16.4 Behavior-BasedDete tion . . . 70
16.5 HoneyTraps . . . 71
16.6 TripwiresandBoobyTraps . . . 71
16.7 MalwareandAnti-Malware . . . 72
16.8 Dete tingAutomated Peers . . . 74
16.9 Host-BasedIntrusionDete tion . . . 75
16.10IntrusionDete tionPrin iples . . . 76
16.11IntrusionInformation Colle tion . . . 77
17Abuse Response 77 17.1 Abuse Alerting . . . 78
17.2 Howto RespondtoAbuse . . . 79
17.3 Identi ationIssues . . . 83
17.4 Resour eConsumptionDefenses . . . 83
17.5 ProportionalResponse . . . 84
18Forensi s 85 18.1 Forensi Limitations . . . 85
18.2 RemnantData . . . 86
18.3 EphemeralData . . . 86
18.4 RemnantData . . . 86
18.5 HiddenData . . . 86
18.6 Metadata . . . 86
18.7 Lo atingEn ryptionKeysandEn ryptedData . . . 86
18.8 Forensi Inferen e. . . 87
19Priva y 87 19.1 Mix-BasedSystems. . . 87
19.2 Distros. . . 88
20.1 ResponsetoWormsandHumanPerpetrators . . . 88
20.2 ResponsetoMalware. . . 89
21Network Se urity 89 21.1 TheCurrentStateofThings . . . 89
21.2 Tra Identi ation . . . 90
21.3 Brute-For eDefenses . . . 92
21.4 FederatedDefense . . . 92
21.5 VLANsAreNotSe urityTe hnologies . . . 92
21.6 Advan ed NetworkSe urityTe hnologies . . . 92
22EmailSe urity 93 22.1 Unsoli itedBulkEmail. . . 93
22.2 Phishing . . . 96
22.3 Frameworks . . . 96
23Web Se urity 96 23.1 Dire tBrowserAtta ks . . . 96
23.2 Indire t BrowserAtta ks. . . 97
23.3 WebAppli ationVulnerabilities . . . 99
23.4 RelevantStandards. . . 99
23.5 CrawlerAtta ks . . . 99
23.6 SSLCerti atesMadeRedundant . . . 100
24Software Se urity 100 24.1 Se urityisaSubsetofCorre tness . . . 100
24.2 Se ure Coding. . . 100
24.3 Malwarevs. Data-Dire tedAtta ks. . . 101
24.4 LanguageWeaknesses . . . 101
24.5 ReverseEngineering . . . 103
24.6 Appli ationExploitation . . . 104
24.7 Appli ationExploitationDefenses . . . 105
24.9 FailureModes. . . 107
24.10FaultToleran e . . . 108
24.11Impli ationsofIn orre tness . . . 108
25Human Fa tors and Usability 108 25.1 ThePsy hologyofSe urity . . . 108
25.2 So ialEngineering . . . 109
25.3 Se urityShouldBe Obvious,andtheDefault . . . 109
25.4 Se urityShouldBe EasytoUse . . . 109
25.5 NoHiddenData . . . 109
26Atta k Patterns 110 26.1 Atta kTaxonomy. . . 110
26.2 Atta kProperties. . . 110
26.3 Atta kCy le . . . 111
26.4 CommonAtta kPatternEnumerationandClassi ation. . . 112
27Trust and Personnel Se urity 112 27.1 TrustandTrustworthiness . . . 112
27.2 Who orWhatAreYouTrusting? . . . 113
27.3 CodeProvenan e . . . 114
27.4 TheIn ompeten eDefense. . . 115
27.5 LimitingDamageCausedbyTrustedPeople . . . 115
28Cryptography 116 28.1 ThingsToKnowBeforeDoingCrypto . . . 116
28.2 LimitsofCryptography . . . 120
28.3 Cryptographi Algorithms . . . 123
28.4 Cryptographi AlgorithmEnhan ements . . . 128
28.5 Cryptographi Combinations . . . 137
28.6 Cryptographi Proto ols . . . 140
28.7 En ryptedStorage . . . 144
28.8 Deniable Storage . . . 147
28.9 Key Management . . . 148
28.10Cryptographi Standards . . . 155
29.1 TypesofRandomNumberGenerators . . . 158
29.2 Pseudo-RandomNumberGenerators . . . 158
29.3 An IdealRandomNumberGenerator. . . 158
29.4 Denitions ofUnpredi tability . . . 159
29.5 Denitions ofRandomness. . . 159
29.6 TypesofEntropy . . . 160
29.7 WhyEntropyandUnpredi tabilityAreNottheSame . . . 162
29.8 Unpredi tabilityistheSineQuaNonofCryptography . . . 163
29.9 Unpredi tabilityisNot Provable . . . 163
29.10RandomlyGeneratedSamples. . . 164
29.11TestingSamplesForPredi tability . . . 164
29.12TestingNoise Sour es . . . 164
29.13Waysto Fail. . . 165
29.14Sour esofUnpredi tability . . . 166
29.15TheLawsofUnpredi tability . . . 169
30Cryptanalysis 172 30.1 Cryptographi Atta kPatterns . . . 172
30.2 A PrioriKnowledge . . . 173
30.3 LengthExtensionAtta ks . . . 174
30.4 HashCollisions . . . 174
30.5 PKCSPaddingOra leAtta k . . . 175
30.6 CryptanalysisofRandomNumberGenerators . . . 177
30.7 CryptanalysisofWirelessProto ols. . . 178
31Lateral Thinking 178 31.1 Tra Analysis . . . 179
31.2 Side Channels . . . 179
32.1 Intelligen eJargon . . . 185
32.2 ControllingInformationFlow . . . 186
32.3 LabelingandRegulations . . . 186
32.4 KnowledgeisPower . . . 188
32.5 Se re yisPower . . . 188
32.6 NeverConrmGuesses. . . 189
32.7 WhatYouDon'tKnowCanHurt You . . . 189
32.8 HowSe re yisLost . . . 190
32.9 CostsofDis losure . . . 190
32.10Dissemination . . . 191
32.11Information,Misinformation,Disinformation . . . 191
33Coni t and Combat 192 33.1 Indi atorsandWarnings . . . 192
33.2 Atta ker'sAdvantagein Network Warfare . . . 193
33.3 Defender's AdvantageinNetworkWarfare . . . 193
33.4 OODALoops . . . 194
33.5 CoursesofA tion . . . 195
34Se urity Prin iples 195 34.1 ThePrin iple ofLeast Privilege . . . 195
34.2 ThePrin iple ofAgility . . . 196
34.3 ThePrin iple ofMinimal Assumptions . . . 198
34.4 ThePrin iple ofFail-Se ureDesign . . . 199
34.5 ThePrin iple ofUnique Identiers . . . 200
34.6 ThePrin iplesofSimpli ity . . . 201
34.7 ThePrin iple ofDefense inDepth . . . 202
34.8 ThePrin iple ofUniform Fronts . . . 202
34.9 ThePrin iple ofSplitControl . . . 203
34.10ThePrin iple ofMinimal Changes . . . 205
34.11ThePrin iple ofCentralizedManagement . . . 205
34.13ThePrin iple ofRemovingEx uses . . . 207
34.14ThePrin iple ofUsability . . . 207
34.15ThePrin iple ofRetaining Control . . . 207
34.16ThePrin iple ofPersonality . . . 209
34.17ThePrin iple ofLeast CommonMe hanism . . . 209
34.18ThePrin iple ofPra ti e . . . 210
34.19Work Fa tor Cal ulation. . . 210
34.20AvailabilityPrin iples . . . 211
35Common Arguments 211 35.1 Dis losure: Full,Partial,orNone? . . . 211
35.2 Absolutevs. Ee tiveSe urity . . . 216
35.3 Quanti ationandMetri svs. Intuition . . . 218
35.4 Se urityThroughObs urity . . . 219
35.5 Se urityofOpenSour evs. ClosedSour e. . . 220
35.6 InsiderThreatvs. OutsiderThreat . . . 221
35.7 Preventionvs. Dete tion. . . 223
35.8 Auditvs. Monitoring. . . 225
35.9 Earlyvs. LateAdopters . . . 225
35.10SendingHTMLEmail . . . 226
36Editorials,Predi tions, Polemi s,and PersonalOpinions 226 36.1 SoYouThinkYou'reOldS hool?. . . 226
36.2 Se urityisforPolymaths . . . 227
36.3 A ProposedPerimeterDefense . . . 228
36.4 LinearOrderPlease! . . . 229
36.5 ComputersareTrans endingourLimitations . . . 229
36.6 PasswordLengthLimitsConsideredHarmful . . . 230
36.7 EverythingWillBe En ryptedSoon . . . 230
36.8 HowUniversalDigitalSigningWillAe tThings . . . 231
36.9 Error PropagationChara teristi sUsuallyDon'tMatter . . . 231
36.11ShouldMyEmployees AttendHa kerConferen es? . . . 234
36.12ShouldYouSellOut? . . . 234
36.13AnonymityisnotaCrime . . . 236
36.14MonitoringYourEmployees . . . 237
36.15TrustPeople inSpiteofCounterexamples . . . 237
36.16DoWhatI Meanvs. DoWhatISay . . . 238
36.17YouArePartoftheProblemifYou... . . 239
36.18WhatDoI Doto NotGetHa ked? . . . 239
37Resour es 240 37.1 MyOtherStu . . . 240
37.2 Publi ations . . . 240
37.3 Conferen es . . . 240
37.4 Books . . . 241
37.5 Periodi als. . . 242
37.6 Blogs. . . 242
37.7 MailingLists . . . 243
37.8 ComputerSe urityMovies. . . 244
38Unsorted 244
39Credits 246
1 Metadata
Thebooksthat helpyoumostarethose whi h makeyouthink the
most. The hardest way of learningis that of easy reading; but a
great book that omes from a great thinker is a ship of thought,
deepfreightedwithtruthandbeauty.
TheodoreParker
Kindlylinkapersontoitinsteadofredistributingit,sothatpeoplemayalways
re eivethelatestversion. However,evenanoutdated opyisbetterthannone.
The PDF version is preferred and more likely to render properly (espe ially
graphi sandspe ialmathemati al hara ters),buttheHTMLversionissimply
too onvenienttonothaveitavailable. Thelatestversionisalwayshere:
http://www.subspa eeld.org/se urity/se urity_ on epts.html
Thisisa opyrightedwork,withsomerightsreserved. Thisworkisli ensedun-
dertheCreativeCommonsAttribution-Non ommer ial-NoDerivativeWorks 3.0UnitedStatesLi ense.
Thismeansyoumayredistributeitfornon- ommer ialpurposes,andthatyou
mustattributemeproperly(withoutsuggestingIendorseyourwork). Forattri-
bution,pleasein ludeaprominentlinkba ktothisoriginalworkandsometext
des ribingthe hanges. I am omfortable with ertain derivative works,su h
astranslationinto otherlanguages,butnotsureaboutothers,so haveyet not
expli itlygrantedpermissionforallderivativeuses. Ifyouhaveanyquestions,
pleaseemailmeandI'llbehappytodis ussitwithyou.
1.2 Goals
Iwrotethispapertotryandexaminethetypi alproblemsin omputerse urity
and related areas,and attempt to extra t from them prin iples for defending
systems. To this end I attempt to synthesize various elds of knowledge, in-
luding omputerse urity,networkse urity, ryptology,andintelligen e. Ialso
attempt to extra t theprin iples and impli it assumptions behind ryptogra-
phy and theprote tion of lassiedinformation, asobtained throughreverse-
engineering(thatis,informedspe ulationbasedonexistingregulationsandstu
Ireadin books),where theyarerelevanttote hnologi alse urity.
1.3 Audien e
When I pi ture a perfe t reader, I always pi ture a monster of
ourage and uriosity, also something supple, unning, autious, a
bornadventurerand dis overer.
Friedrei hNietzs he
Thisisnotintendedtobeanintrodu torytext,althoughabeginner ouldgain
somethingfromit. Thereasonbehindthisis that beginners think in termsof
ta ti s,ratherthanstrategy,andofdetails ratherthangeneralities. Thereare
manynebookson omputerandnetworkse urityta ti s(andmanymorenot-
so-nebooks),andta ti s hangequi kly,andbeingunpaidforthiswork,Iam
attemptedtoextra tabstra t on eptsandstrategieswhi harenotne essarily
tiedto omputerse urity. AndI haveattempted to illustrate the pointswith
interestingand entertaining examplesand would loveto havemore, so if you
anthinkofanexampleforoneofmypoints,pleasesendittome!
I'm writing this for you, noble reader, so your omments are very wel ome;
youwill behelpingme makethis better foreveryfuture reader. If yousend a
ontributionor omment,you'llsavemealotofworkifyoutellmewhetheryou
wishtobementionedinthe redits(see39)ornot;Iwanttorespe tthepriva y
of anonymous ontributors. If you're on erned that wouldbe presumptuous,
don'tbe;I onsiderit onsiderateofyoutosavemeanemailex hange. Se urity
bloggerswillndplentyoffodderbylookingfornewURLsaddedtothispage,
and I en ourage you to do it, sin e I simply don't have time to ommenton
everything I link to. If you link to this paper from your blog entry, all the
better.
1.4 About This Work
Ihavestartedthisbookwithsometerminologyasawaytoframethedis ussion.
ThenIgetintothedetailsofthete hnology. Sin ethisisadequatelyexplainedin
otherworks,thesese tionsaresomewhatleanandmaymerelybealistoflinks.
ThenI get into my primary ontribution, whi h isthe fundamental prin iples
ofse uritywhi hIhaveextra tedfromthete hnologi aldetails. Afterwards,I
summarizesome ommonargumentsthat onesees amongse uritypeople, and
Inishupwithsomeofmypersonalobservationsandopinions.
1.5 On the HTML Version
Sin ethis do ument is onstantlybeingrevised, I suggestthat you startwith
thetableof ontentsand li konthesubje theadingssothatyou anseewhi h
onesyouhavereadalready. IfIaddase tion,itwillshowupasunread. Bythe
timeithasexpiredfromyourbrowser'shistory,itisprobablytimetore-readit
anyway,sin ethe ontentshaveprobablybeenupdated.
Seethe end of this page for the date it wasgenerated (whi h is also the last
updatetime). I urrentlyupdatethisabouton eeverytwoweeks.
Someequationsmayfailto renderin HTML.Thus,youmaywishto viewthe
PDFversioninstead.
1.6 About Writing This
Partofthe hallengewithwritingaboutthistopi isthatwearealwayslearning
and it never seems to settle down, nor does one ever seem to get a sense of
to-datethanabook,andmore omprehensiveandself- ontainedthanmostweb
pages. Iknowit'suneven;insomeareasit'sjustaheadingwithaparagraph,or
afewlinks,in otherpla esit anbeassmoothlywrittenasabook. Ithought
aboutbreakingitupintomultipledo uments,soI ouldreleaseea hwithmu h
morefanfare,butthat'sjustnotthewayI write,anditmakesitdi ulttodo
asmu h ross-linkingasI'dlike.
Thisistomyknowledgetherstattempttopublish a omputerse uritybook
on the web before printing it, so I have no idea if it will even bepossible to
print it ommer ially. That's okay; I'm not writing for money. I'd like for
the Internet to be the publi library of the
21
st entury, and this is my rstsigni antdonationtothe olle tion. Iamremindedoftheadvi eofastaerin
the omputers ien edepartment,whosaid,dowhatyoulove,andthemoney
willtake areofitself.
Thathavingbeensaid,ifyouwantedtowardstheeort,you anhelpmedefray
the ostsofmaintainingaserverandsu hbyvisitingourdonationpage. Ifyou
would like to donate but annot, you may wait until su h atime asyou an
aordto, andthengivesomethingaway(i.e. payitforward).
1.7 Tools Used To Create This Book
I useLyX,but I'mstill abitof anovi e. I havealove/haterelationshipwith
itandtheunderlying typesettinglanguageLaTeX.
2 Se urity Properties
Whatdowemeanbyse ure? WhenIsayse ure,Imeanthatanadversary an't
makethesystemdosomethingthatitsowner(ordesigner,oradministrator,or
evenuser)didnotintend. Oftenthis involvesaviolation ofageneralse urity
property. Somese uritypropertiesin lude:
ondentiality refersto whether the information in question is dis losed or
remainsprivate.
integrity refers to whether the systems (or data) remain un orrupted. The
oppositeofthisismalleability,whereitispossibleto hangedatawith-
outdete tion,andbelieveitornot,sometimesthisisadesirablese urity
property.
availability is whetherthesystemisavailable whenyouneeditornot.
onsisten y iswhetherthesystembehavesthesameea htimeyouuseit.
soit an be investigated later. Dire t-re ordele troni voting ma hines
(withnopapertrail)areunauditable.
ontrol is whetherthesystemobeysonlytheauthorizedusersornot.
authenti ation iswhetherthesystem anproperlyidentifyusers. Sometimes,
itisdesirablethatthesystem annotdoso,inwhi h aseitisanonymous
orpseudonymous.
non-repudiation is a relatively obs ure term meaning that if you take an
a tion, you won't be able to deny it later. Sometimes, you want the
opposite, inwhi h aseyouwantrepudiability(plausibledeniability).
Pleaseforgivetheslightdieren einthewaytheyarenamed; whileEnglishis
partlytoblame, these properties arenotentirelyparallel. Forexample, on-
dentialityrefersto information (or inferen esdrawnon su h) just asprogram
refers to an exe utable stored on the disk, whereas ontrol implies an a tive
systemjust aspro essreferstoarunningprogram(as theysay,apro essisa
programinmotion). Also,you an ompromisemydata ondentialitywitha
ompletelypassiveatta ksu hasreadingmyba kuptapes,whereas ontrolling
mysystemisinherentlydete tablesin eitinvolvesintera ting withitin some
way.
2.1 Information Se urity is a PAIN
You an remember the se urity properties of information as PAIN; Priva y,
Authenti ity,Integrity,Non-repudiation.
2.2 Parkerian Hexad
There issomething similar known astheParkerianHexad, dened by Donn
B.Parker,whi h is six fundamental, atomi , non-overlappingattributes of in-
formationthat areprote tedbyinformationse uritymeasures:
1. ondentiality
2. possession
3. integrity
4. authenti ity
5. availability
6. utility
1. Admissibility(istheremotenodetrustworthy?)
2. Authenti ation(whoareyou?)
3. Authorization(whatareyouallowedto do?)
4. Availability(isthedataa essible?)
5. Authenti ity(isthedatainta t?)
2.4 Se urity Equivalen y
I onsider two obje tsto be se urity equivalent if they are identi al with re-
spe t to the se uritypropertiesunder dis ussion; for pre ision,I may referto
ondentiality-equivalent pie es of information if the sets of parties to whi h
theymay bedis losed (without violating se urity)are exa tly the same(and
onversely, so arethe sets of parties to whi h they may notbe dis losed). In
this ase, I'm dis ussing obje tswhi h, iftreated improperly, ould leadto a
ompromiseofthese uritygoal of ondentiality. OrI ouldsaythattwo ryp-
tosystemsare ondentiality-equivalent,in whi h asetheobje tshelpa hieve
these uritygoal. Tobeperverse,these last twoexamples ouldbe ombined;
iftheinformationintherst examplewasa tuallythekeysfor the ryptosys-
temin these ondexample,then dis losureof therst ouldimpa tthe on-
dentialityof the keys and thus the ondentialityof anythinghandled by the
ryptosystems. Alternately,I ouldrefertoa ess- ontrolequivalen ebetween
tworewallimplementations;inthis ase,Iamdis ussingobje tswhi himple-
ment ase urity me hanism whi h helps us a hievethe se urity goal, su h as
ondentialityofsomething.
2.5 Other Questions
1. Se uretowhom? Awebsite maybese ure(toitsowners)againstunau-
thorized ontrol,butmayemploynoen ryptionwhen olle tinginforma-
tionfrom ustomers.
2. Se ure from whom? A site may be se ure againstoutsiders,but not in-
siders.
3 Se urity Models
Iintendtoexpandthisse tionwhenI havesometime.
Computer Se urity Models
BibaIntegrityModel
Brewer-NashModel
Graham-Denning Model
Take-Grant Model
Clark-WilsonModel
Harrison-Ruzzo-UllmanModel
Non-interferen eModel
RelatedinformationinOperatingSystemA essControl(12.3).
4 Se urity Con epts
Thereisnose urityonthis earth,thereisonlyopportunity.
GeneralDouglasMa Arthur(1880-1964)
These are important on epts whi h appear to apply a rossmultiple se urity
domains.
4.1 The Classi ation Problem
Many timesin se urityyou wish to distinguishbetween lasses ofdata. This
o urs in rewalls, where you want to allow ertain tra but not all, and
in intrusion dete tion where you want to allow benign tra but not allow
mali ioustra , and in operating systemse urity, we wish to allow the user
to runtheirprograms but notmalware(see 16.7). Indoingso, werun into a
numberoflimitationsinvariousdomainsthat deservementiontogether.
4.1.1 Classi ation Errors
False Positives vs. False Negatives, also alled Type I and Type II errors.
Dis ussequalerrorrate(EER)anditsusein biometri s.
A more sophisti ated measure is its Re eiverOperating Chara teristi urve,
see:
InformationAwareness: A Prospe tive Te hni al Assessment
InTheBase Rate Falla yand itsImpli ations for Intrusion Dete tion,the au-
thoressentiallypoints outthat there's alot of benign tra foreveryatta k,
andsoeven asmall han e of afalse positivewill qui klyoverwhelmany true
positives. Putanotherway,ifoneoutofevery10,001 onne tionsismali ious,
andthe testhasa 1%falsepositiveerrorrate, thenfor every1real mali ious
onne tionthere 10,000benign onne tions,andhen e100falsepositives.
4.1.3 Test E ien y
Inother ases,youareperfe tly apableofperformingana uratetest,butnot
onallthetra . Youmaywantto applya heaptestwithsomeerrorsonone
side before applying ase ond, more expensive test on the side with errors to
weedthemout. Inmedi ine,thisisdonewithas reening testwhi h haslow
falsenegatives,andthenhaving on entratedthehighriskpopulation,younow
diagnosewithamore omplexpro edurewithalowfalsepositiveratebe ause
you'renowdiagnosingahigh-prevalen epopulation. ThisisdoneinBSDUnix
withpa ket apturingviat pdump,whi huploadsa oarselterintothekernel,
andthenappliesamoreexpensivebutner-grainedtestinuserlandwhi honly
operatesonthepa ketswhi hpassthersttest.
4.1.4 In ompletely-DenedSets
Asfarasthelawsofmathemati srefertoreality,theyarenot er-
tain;andasfarastheyare ertain,theydonotrefertoreality.
Albert Einstein
Stopforamomentandthinkaboutthedi ultyoftryingtolistalltheundesir-
ablethingsthatyour omputershouldn'tdo. Ifyoundyourselfnished,then
askyourself;didyouin ludethatitshouldn'tatta kother omputers? Didyou
in ludethatitshouldn'ttransfer$1000toamaa-runwebsitewhenyoureally
intended to transfer $100 to your mother? Did you in lude that it shouldn't
sendspamtoyouraddressbook? Thelistgoesonand on.
Thus, ifwe hada omplete list of everythingthat wasbad, we'dblo kit and
never haveto worry aboutit again. However,often weeither don't know, or
theset isinnite.
Insome ases,itmaybepossibletodenealistofgoodthings(see34.1);forex-
ample,thelistofprogramsyoumightneedtouseinyourjobmaybesmall,and
sothey ouldbeenumerated. However,itiseasytoimaginewherewhitelisting
wouldbeimpossible;forexample,itwouldbeimpra ti altoenumerateallthe
possiblegood networkpa kets,be ausethere'sjust somanyofthem.
Itisprobablytruethat omputerse urityisinterestingbe auseitisopen-ended;
wesimplydon'tknowahead oftimewhethersomethingisgoodorbad.
Sooftenwe an'tenumerateallthethingswewouldwanttodo,norallthethings
thatwewouldnotwanttodo. Be auseofthis,intrusiondete tionsystems(see
16)oftensimplyguess;theytryto dete tatta ksunknowntothembylooking
forfeatures that arelikely to be present in exploits but notin normal tra .
At the urrentmoment, you annd out ifyourtra is passingthroughan
IPSbytryingtosendalongstringof0x90o tets(x86NOPs)inasession. This
isn'tmali iousbyitself,butisa ommonletterwithwhi hpeoplepadexploits
(see 24.6). In this ase, it's a great example of a false positive, or ollateral
damage,generatedthroughguilt-by-asso iation;there's nothinginherently bad
about NOPs, it's just that exploit writers use them a lot, and IPS vendors
de ided that made them suspi ious. I'm nota big fan of these be ause I feel
thatitbreaksfun tionalitythatdoesn'tthreatenthesystem,andthat it ould
be used as eviden e of malfeasan e against someone by someone whodoesn't
really understand the te hnology. I'm already irritated by the false-positives
orex essivewarningsaboutse uritytoolsfromanti-virussoftware;itseemsto
alertto potentially-unwantedprograms anabsurd amountofthetime; most
novi esdon'tunderstandthattheanti-virussoftwarereadsthediskeventhough
I'mnotrunning theprograms,and that youhavenothingto fearifyoudon't
runtheprograms. I fearthat oneday myInternetServi e Providerwill start
ltering them out of my email ornetwork streams, but fortunately they just
don't arethat mu h.
4.2 Se urity Layers
Iliketothinkofse urityasahierar hy. Atthebase,youhavephysi alse urity.
OntopofthatisOSse urity,andontopofthatisappli ationse urity,andon
topofthat, network se urity. The widthof ea h layerofthehierar hy anbe
thoughtofasthelevelofse urityassuran e,sothat itformsapyramid.
Youmayhaveanunbeatablerewall,butifyourOSdoesn'trequireapassword
andyouradversaryhasphysi ala esstothesystem,youlose. Soea hlayerof
thepyramid annotbemorese ure(inanabsolutesense)asthelayerbelowit.
Ideally,ea hlayershould beavailabletofeweradversariesthanthelayerabove
it,sothat onehasasortofbalan eorriskequivalen y.
1. networkse urity
2. appli ation/databasese urity
3. OSse urity
4. hardwarese urity
5. physi alse urity
dividual omputers), and donotdistinguish betweenusersof ea h system. In
somesense,weareassigningrightsto omputersandnotpeople. Weareden-
ing whi h omputersmay talk to whi h other omputers, orperhaps even to
whi h appli ations. This is oftenjustied sin eit is usuallyeasier to leverage
oneuser'sa ess togainanother'swithin thesamesystemthantogaina ess
toanothersystem(butthis isnotatruism).
Inappli ation or database se urity, we are on erned abouthow software ap-
pli ationshandle se urity. Forexample,mostdatabaseshavenotionsofusers,
andonemayallow ertainuserstoa ess ertaindatabases,tables,orrowsand
notothers. Itis assumedthat theadversaryis oneof theusersofthesystem,
andthedis ussion entersaround whatthat user anor annotdo within the
appli ation,assumingthattheuser annot
Inoperating system se urity, wedistinguish betweenusers of thesystem, and
perhapstheroles theyarefullling, andonly on ernourselveswith a tivities
within that omputer. It is assumed that the adversary hassomea ess, but
lessthanfullprivilegesonthesystem.
Hardwarese urity re eiveslittledis ussionin se urity ir les,butaspro essors
and hipsetsgetmore omplex,therearemorevulnerabilitiesbeingfoundwithin
them. Inhardwarese urity,weassumethattheadversaryhasroot-levela ess
onthesystem,anddis usswhatthat enablestheadversarytodo.
Whenwedis ussphysi alse urity,weassumethattheadversarymayphysi ally
approa hthe ampus,building,room,or omputer. Wetendto reate on en-
tri se urityzones aroundthesystem,and trytokeepadversariesasfaraway
fromitaspossible. Thisisbe auseifanadversarygainsphysi al,unmonitored
a esstothe omputersystem,itisvirtuallyimpossibletomaintainthese urity
ofthesystem. Thiskindofdis ussionisparti ularlyinterestingtodesignersof
tamper-resistantsystems,su hasdigitalsatelliteTVre eivers.
4.3 Privilege Levels
Here'sataxonomyofsome ommonly-usefulprivilegelevels.
1. Anonymous,remotesystems
2. Authenti atedremotesystems
3. Lo alunprivileged user(UID>0)
4. Administrator(UID0)
5. Kernel(privileged mode,ring0)
6. Hardware(TPM, ring-1,hypervisors,trojanedhardware)
the higher the privilege level you get, the harder you an be to dete t. The
gatewaysbetweenthelevelsarea ess ontroldevi es,analogouswithrewalls.
4.4 What is a Vulnerability?
Now that you know what a se urity property is, what onstitutes (or should
onstitute)avulnerability? On thearguableend of the s alewehavelossof
availability,orsus eptibilitytodenialofservi e(DoS).Ontheinarguableend
ofthe s ale, wehavelossof ontrol,whi h usually arbitrary odeexe ution,
whi hoftenmeansthattheadversary andowhateverhewantswiththesystem,
andtherefore anviolateanyotherse urityproperty.
Inanidealworld,everypie eofsoftwarewouldstateitsassumptionsaboutits
environment, and then state these urity properties it attempts to guarantee;
thiswouldbease uritypoli y. Anyviolationoftheseexpli itly-statedse urity
propertieswouldthenbeavulnerability,andanyotherse uritypropertieswould
simply be outside the design goals. However, I only know of one pie e of
ommonly-available software whi h does this, and that's OpenSSL (http://
oss-institute.org/FIPS_733/Se urityPoli y-1.1.1_733.pdf).
Avulnerabilityisaholeoraweaknessintheappli ation,whi h an
beadesignaworanimplementation bug,that allowsanatta ker
to ause harm to thestakeholders of anappli ation. Stakeholders
in lude theappli ation owner,appli ation users, andother entities
that relyontheappli ation. Thetermvulnerability isoftenused
veryloosely. However,hereweneedtodistinguishthreats,atta ks,
and ountermeasures.
OWASPVulnerabilitiesCategory(http://www.owasp.org/index.
php/Category:Vulnerability)
Vulnerabilities anbedividedroughlyintotwo ategories,implementationbugs
anddesignaws. GaryM Graw(http://www. igital. om/~gem/),thehostof
theSilverBulletSe urityPod ast(http://www. igital. om/silverbullet/),
reportsthatthevulnerabilitieshendsaresplitintothesetwo ategoriesroughly
evenly.
4.5 Vulnerability Databases
4.5.1 NationalVulnerability Database
NVDistheU.S.governmentrepositoryofstandardsbasedvulnera-
bilitymanagementdatarepresentedusingtheSe urityContentAu-
tomationProto ol(SCAP).Thisdataenablesautomationofvulner-
abilitymanagement, se uritymeasurement,and omplian e. NVD
aws,mis ongurations,produ tnames,andimpa tmetri s.
NVDHomePage
NationalVulnerability Database (http://nvd.nist.gov/)
4.5.2 Common Vulnerabilitiesand Exposures
Internationalins opeandfreeforpubli use,CVEisadi tionaryof
publi lyknowninformationse urityvulnerabilitiesandexposures.
CVE's ommon identiers enable data ex hange between se urity
produ tsandprovideabaselineindex pointforevaluating overage
oftoolsandservi es.
CVE HomePage
CommonVulnerabilitiesandExposures (http:// ve.mitre.org/)
4.5.3 Common Weakness Enumeration
TheCommonWeaknessEnumerationSpe i ation(CWE)provides
a ommonlanguageofdis oursefordis ussing, ndinganddealing
withthe ausesofsoftwarese urityvulnerabilitiesastheyarefound
in ode, design,orsystemar hite ture. Ea h individualCWE rep-
resentsasinglevulnerabilitytype. CWEis urrentlymaintainedby
theMITRECorporationwithsupportfromtheNationalCyberSe-
urityDivision(DHS).AdetailedCWElistis urrentlyavailableat
theMITREwebsite;this listprovidesadetailed denitionforea h
individualCWE.
CWE HomePage
CommonWeaknessEnumeration (http:// we.mitre.org/)
4.5.4 Open Sour e Vulnerability Database
OSVDB is an independent and open sour e database reated by
and for the ommunity. Our goalis to provide a urate, detailed,
urrent,andunbiasedte hni alinformation.
OSVDB HomePage
The OpenSour e Vulnerability Database(http://osvdb.org/)
pa t Se urity
Ontwoo asionsIhavebeenasked,Pray,Mr. Babbage,ifyouput
intothema hinewronggures,willtherightanswers omeout? In
one aseamemberoftheUpper,andintheotheramemberofthe
Lower,Houseputthisquestion. Iamnotablerightlytoapprehend
thekindof onfusion ofideasthat ouldprovokesu haquestion.
Charles Babbage
This is sometimes alled the GIGO rule (Garbage In, Garbage Out). Stated
thisway, thisseemsself-evident. However,youshouldrealizethat thisapplies
tosystemsaswellasprograms. Forexample,ifyoursystemdependsonDNSto
lo ateahost,thenthe orre tnessofyoursystem'soperationdependsonDNS.
Whetherornotthis isexploitable(beyondasimpledenialof servi e)depends
agreat dealonthedetails ofthepro edures. Thisis aparallel tothequestion
ofwhetheritispossibletoexploit aprogramviaanunsanitizedinput.
You anneverbemorea uratethanthedatayouusedforyourinput. Trytobe
neitherpre iselyina urate,norimpre iselya urate. Learnto usefootnotes.
4.7 Ri e's Theorem
Thisappearsto relate to theunde idability of ertain problems relatedto ar-
bitraryprograms,of ertainissuesrelatedtoprogram orre tness,andhasim-
portant onsequen eslikenomodern general-purpose omputer ansolve the
generalproblemofdeterminingwhetherornotaprogramisvirusfree. Afriend
pointedouttomethattheentireanti-virusindustrydependsonthepubli not
realizingthat thisis provento beanunsolvable (not just adi ult) problem.
Theanti-virusindustry,whenitattemptstogeneratesignaturesorenumerate
badness (see34.1), is playinga onstant game of at h-up, usually astep or
twobehindtheiradversaries.
Unfortunately, really understandingand (evenmoreso)explaining de idability
problems requires a lot of thinking, and I'm not quite up to the task at the
moment,soI'llpunt.
Wikipediaarti le onRi e's Theorem (http://en.wikipedia.org/wiki/
Ri e%27s_theorem)
5 E onomi s of Se urity
5.1 How Expensive are Se urity Failures?
HerearesomeoftheexamplesI oulddigup.
TJMaxxwasusingWEP attheirstoresandsuered amajorlossofdata,and
largenes:
WEP Se urity+Pringles-Can =$1B TJXLoss?
TJX's failuretose ureWi-Fi ould ost$1B
Reportof anInvestigationintothe Se urity, Colle tion andRetentionof PersonalInformation
5.1.2 Greek Cell Tapping In ident
TheGreektelephonetapping aseof2004-2005,also referredto asGreekWa-
tergate, involved the illegal tapping of more than 100 mobile phones on the
VodafoneGree e network belonging mostlyto membersof the Greek govern-
mentandtop-ranking ivilservants.
OnO tober19, 2007,VodafoneGree ewasagainned ¿19millionbyEETT,
thenationaltele ommuni ationsregulator,forallegedbrea hofpriva yrules.
Wikipediaarti le
GreekWatergate s andalsends politi al sho kwaves
The Athens Aair
5.1.3 VAServ/LxLabs
Thedis overyof24se urityvulnerabilitiesmayhave ontributedto thedeath
of the hief of LxLabs. A aw in the ompany's HyperVM software allowed
data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM
solutionispopularwith heapwebhostingservi esandtheatta ksareeasyto
reprodu e,whi h ouldleadto furtherin idents.
Slashdot arti le (http://it.slashdot.org/story/09/06/09/1422200/
Se urity-Flaw-Hits-VAserv-Head-of-LxLabs-Found-Hanged)
LxLabsbossfoundhangedaftervulnwipeswebsites(http://www.theregister.
o.uk/2009/06/09/lxlabs_funder_death/)
Webhostha kwipesoutdatafor100,000sites(http://www.theregister.
o.uk/2009/06/08/webhost_atta k/)
5.1.4 CardSystems
CardSystemsSolutionsSettlesFTCCharges (http://www.ft .gov/opa/
2006/02/ ardsystems_r.shtm)
EggheadwashurtbyaDe ember2000revelationthat ha kershad
a essed its systemsand potentially ompromised ustomer redit
arddata. The ompanyledforbankrupt yinAugust2001. After
adeal to sell the ompany to Fry's Ele troni sfor $10 millionfell
through,itsassetswere a quiredbyAmazon. omfor$6.1million.
...
In De ember 2000, the ompany's IIS-based servers were ompro-
mised,potentiallyreleasing redit arddataofover3.6millionpeo-
ple. InadditiontopoortimingneartheChristmasseason,thehan-
dling of the brea h bypubli ly denying that there wasa problem,
then notifying Visa, whoin turn notied banks, who notied on-
sumers, ausedthebrea htoes alateintoafullblowns andal.
Wikipedia
Wikipediaarti leonEggheadSoftware(http://en.wikipedia.org/wiki/
Egghead_Software)
5.1.6 HeartlandPaymentSystems
Heartland sued over data brea h (http://news. net. om/8301-1009_
3-10151961-83.html)
5.1.7 VerizonData Brea hStudy
NotethatVerizon ondu tedthestudy,andoneshouldnot onstruethisse tion
tomeanthattheyhadanydatabrea hesthemselves.
VerizonBusiness2009 DataBrea hStudy Finds Signi antRise inTar-
getedAtta ks,OrganizedCrimeInvolvement(http://news enter.verizon.
om/press-releases/verizon/2009/verizon-business-2009-data.html)
5.1.8 Web Ha king In idents Database
OldSite(http://www.webappse .org/proje ts/whid/)
NewSite(http://www.xiom. om/whidf)
5.1.9 DATALOSSdb
WebSite(http://datalossdb.org/)
http://se urityblog.verizonbusiness. om/2009/04/15/2009-dbir/
5.2 Abuse Dete tion and Response: A Cost-Benet Per-
spe tive
AsI mentionedearlier, abusedete tionisakindof lassi ationproblem(see
4.1),whi hwill foreverbeanimpre ises ien e.
Ingeneral,youwanttobalan ethe ostsof falsepositivesandfalsenegatives.
If weassume rate means per unit of time, or per number of intera tions
withtheoutsideworld,thentheequationwould be:
f prate ∗ f pcost = f nrate ∗ f ncost
Notethatthedenitionsareveryimportanttotheequation! Theratioofabuse
orintrusionattempts to legitimatetra is usuallyratherlow,andso naively
substituting the han e of failing to re ognize a valid abuse attempt as the
fprateabovewillgiveanin orre tresult. Thisisrelatedtothebase-ratefalla y
des ribedabove(see4.1.2). Whatyouprobablywantthenistodenetheabuse
ratio(abrat)asthenumberofabuseattemptsperin omingrequests, andyou
get:
f prate = abrat ∗ f pchance
f nrate = (1 − abrat) ∗ f nchance
Thus,ifwewishtoavoidthetermrateasbeingmisleading,thentheequation
shouldreallybe:
abrat ∗ f pchance ∗ f pcost = (1 − abrat) ∗ f nchance ∗ f ncost
Abusedete tion(see16)isallaboutthefailure han es(andthus, ratesasde-
nedabove). Abuseresponse hoi es(see17)determinethe ost. Forexample,
anomalydete tionwillgiveahigherfalsepositiverate(andlowerfalsenegative
rate)thanmisusedete tion(see16.2).
Ifyourresponsetoabuse ausesanalert(see17.1)tobegenerated,andahuman
mustinvestigateit,thenthefalsepositive ostwillbehigh, soyoumightwant
to(forexample)dosomefurthervalidationof thedete tioneventtolowerthe
falsepositiverate. Forexample,ifyourIDSdete tedaWin32atta kagainsta
Linuxsystem,youmightwantto avoidgeneratinganalert.
fromdoingsoevenifitwasafalsepositive,thenyou antakealiberaldenition
ofwhatyou onsiderabusive. Tousetheaboveexample,onemightwishtotaint
thesour e(see17.2.2)andshunhim,eveniftheWin32atta khelaun hed ould
nothaveworkedagainsttheLinux box.
Intrusiondete tion ismerelyasubset ofabuse dete tion,sin e anintrusionis
onlyonekindofabuseofasystem.
Seealso35.7,35.8.
6 Adversary Modeling
If you know the enemy and know yourself, you need not fear the
resultofahundredbattles.
Ifyouknowyourselfbutnottheenemy,foreveryvi torygainedyou
willalsosuer adefeat.
If you know neither the enemy nor yourself, you will su umb in
everybattle.
SunTzu,TheArtofWar(http://en.wikipedia.org/wiki/The_
Art_of_War)
Afterde idingwhatyouneedtoprote t(yourassets),youneedtoknowabout
thethreatsyouwishtoprote titagainst,ortheadversaries (sometimes alled
threat agents)whi h maythreaten it. Generally intelligen e units havethreat
shops,wheretheymonitorandkeeptra kofthepeoplewhomaythreatentheir
operations. Thisisnatural,sin eitis easierto getanideaofwhowilltryand
dosomethingthanhowsomeunspe iedpersonmaytrytodoit,and anhelp
byhardeningsystemsinenemyterritorymorethanthoseinsaferareas,leading
tomoree ientuseofresour es. I shall allthisadversary modeling.
In adversary modeling, the impli it assumptions are that you have alimited
budgetandthenumberofthreatsissolargethatyou annotdefendagainstall
ofthem. Soyounowneedtode idewheretoallo ateyourresour es.Partofthis
involvestryingtogureoutwhoyouradversariesareandwhattheir apabilities
and intentions are, and thus how mu h to worryaboutparti ular domains of
knowledge or te hnology. You don't have to know their name, lo ation and
so ialse uritynumber;it anbeassimpleassomehigh s hoolstudentonthe
Internetsomewherewhodoesn'tlikeus,adisgruntledemployee (asopposed
toagruntledemployee),orsomesexuallyfrustrateds ript-kiddieonIRCwho
doesn'tlikethefa t that heis ajerk whoenjoysabusing people andtherefore
his only friends are other dysfun tional jerks like him. People in harge of
doingatta ker- entri threat modeling must understand their adversariesand
be willing to take han es by allo atingresour esagainst an adversarywhi h
hasn'ta tuallyatta kedthemyet,orelsetheywillalwaysbedefendingagainst
yesterday'sadversary,andget aughtat-footed byanewone.
Theex ellentbut poorlytitled 1
book Stumblingon Happiness tellsus thatwe
maketwo ommonkindsoferrorswhenreasoningaboutotherhumans:
1. Overlydierent;ifyoulookedatgrapesallday,you'dknowahundreddif-
ferentkinds,andnaturallythinkthemverydierent. Buttheyallsquish
whenyousteponthem,theyareallfruitsandfrankly,notterriblydier-
entatall. Sotooweare onditionedtoseepeopleasdierentbe ausethe
thingsthatmattermosttous,likendinganappropriatemateortrusting
people, annotbedis ernedwith questions likedoyoulikebreathing?.
An interestingexperimentshowedthat ades riptionof how theyfeltby
people who had gone through a pro ess is more a urate in predi ting
howapersonwill feelafter thepro ess thanades riptionofthepro ess
itself. Put another way, people assume that the experien e of others is
toodependentontheminordieren esbetweenhumansthatwementally
exaggerate.
2. Overly similar; people assume that others are motivated by the same
things they are motivated by; we proje t onto them a ree tion of our
self. If a nan ieror a ountanthas ever limbed mount Everest, I am
notawareofit. Surelyitisa ost enter, yes?
6.2 Cost-Benet
Often,thelowerlayersofthese urityhierar hy ostmoretobuildoutthanthe
higherlevels. Physi al se urity requires guards,lo ks, iron bars,shatterproof
windows, shielding, and various other things whi h, being physi al, ost real
money. On the other hand, network se urity may only need a free software
rewall. However,what an adversary ould ost you during aphysi al atta k
(e.g. aburglarlootingyourhome)maybegreaterthananadversary ould ost
youbydefa ingyourwebsite.
6.3 Risk Toleran e
We may assume that the distribution of risk toleran e among adversaries is
monotoni allyde reasing;thatis,thenumberofadversarieswhoarewillingto
tryalow-riskatta kisgreaterthanthenumberofadversarieswhoarewilling
toattemptahigh-riskatta ktogetthesameresult. Bewareofriskevaluation
though;whileaha kermaybetakingagreatrisktogaina esstoyourhome,
lo allawenfor ementwithavalidwarrantisnotgoingto beriskingasmu h.
1
StumblingonHappinessisa tuallyabookofpsy hologi alillusions,waysthatourmind
tendstotri kus,andnotaself-helpbook.
unknown,youmaywishtohavegreaternetworkse uritythanphysi alse urity,
simplybe ausetherearegoingtobemoreremoteatta ks.
6.4 Capabilities
You only have to worry about things to the extent they may lie within the
apabilitiesofyouradversaries. Itisrarethatadversariesuseoutsidehelpwhen
it omes to riti alintelligen e;it ould, forallthey know, be disinformation,
ortheoutsider ouldbeanagent-provo ateur.
6.5 Sophisti ationDistribution
Iftheywere apable,honest,andhard-working,theywouldn'tneed
tosteal.
Alongsimilarlines, one anassumeamonotoni allyde reasingnumberof ad-
versarieswitha ertainlevelofsophisti ation. Myruleofthumbisthatforevery
person who knows how to performa te hnique,there are x people whoknow
about it,where x isasmallnumber,perhaps3to10. Thesameruleappliesto
people with the ability to write an exploit versusthose ableto downloadand
useit(the so- alleds ript kiddies). On e anexploitis oded intoaworm, the
han eofa ompromisedhosthavingbeen ompromisedbytheworm(instead
ofahumanwhotargetsitspe i ally)approa hes100%.
6.6 Goals
We'veallmetorknowaboutpeoplewhowouldlikenothingmorethantobreak
things,just forthehe kofit;s hoolyardbullieswhofeelhurtandwanttohurt
others,or theirovergrownsadistkin. Vandalswhomerelywantto writetheir
nameonyourstorefront. Astreetthugwhowillsteala ellphonejusttothrow
it througha window. I'm sure the sort of person reading this isn't like that,
but unfortunatelysome people are. What exa tlyare youradversary'sgoals?
AretheytomaximizeROI(ReturnOnInvestment)forthemselves,orarethey
out to maximize pain (tax your resour es) for you? Are they monetarily or
ideologi ally motivated? What do they onsider investment? What do they
onsider a reward? Put another way, you an't just assign a dollarvalue on
assets,youmust onsidertheirvaluetotheadversary.
7 Threat Modeling
Men of sense oftenlearn from their enemies. It is from their foes,
nottheir friends,that ities learnthelessonof building high walls
Aristophanes
In te hnology, people tend to fo us on how rather than who, whi h seems to
workbetterwhenanyone anpotentiallyatta kanysystem(likewithpubli ly-
fa ingsystemsontheInternet)andwhenprote tionme hanismshaveloworno
in remental ost(likewithfreeandopen-sour esoftware). Ishall allmodeling
thesethreatmodeling (http://en.wikipedia.org/wiki/Threat_model).
7.1 Common Platform Enumeration
CPEisastru turednamings hemeforinformationte hnologysys-
tems, software, and pa kages. Based upon the generi syntax for
Uniform Resour e Identiers (URI), CPE in ludes a formal name
format, a method for he king names againsta system, and a de-
s riptionformatforbindingtextandteststoaname.
CPE HomePage
Therstpartofthreatmodellingshould be,what isitI wanttoprote t? And
on eyoustartto ompilealistofthings youwish to prote t,you mightwant
a onsistentnaming systemfor your omputerassets. TheCPE mayhelp you
here.
CommonPlatform Enumeration (http:// pe.mitre.org/)
7.2 A Taxonomy of Priva y Brea hes
ATaxonomyofPriva y (http://www. on urringopinions. om/ar hives/
2006/03/a_taxonomy_of_p.html)
Intheabovearti le,DanielSolovesuggeststhatbrea hesofpriva yare notof
asingletype,but anmeanavarietyofthings:
surveillan e
interrogation
aggregation
identi ation
inse urity
se ondaryuse
brea hof ondentiality
dis losure
exposure
in reaseda essibility
bla kmail
appropriation
distortion
intrusion
de isionalinterferen e
7.3 Threats to Se urity Properties
An important mnemoni for remembering the threats to se urity properties,
originallyintrodu edwhen threatmodeling,isSTRIDE:
Spoong
Tampering
Repudiation
Informationdis losure
Denialofservi e
Elevationofprivilege
Relatedlinks:
WikipediaonSTRIDE (http://en.wikipedia.org/wiki/STRIDE_(se urity))
Un overSe urity Design Flaws Using The STRIDE Approa h (http://
msdn.mi rosoft. om/en-us/magazine/ 163519.aspx)
Mi rosofthasarating systemfor al ulating risks(http://msdn.mi rosoft.
om/en-us/library/ff648644.aspx). Itsmnemoni isDREAD:
Damagepotential
Reprodu ibility
Exploitability
Ae tedusers
Dis overability
7.5 Atta k Surfa e
GnothiSeauton(KnowThyself)
an ientGreekaphorism(http://en.wikipedia.org/wiki/Know_
thyself)
Whendis ussingse urity,it'softenusefultoanalyzethepartwhi hmayintera t
with aparti ular adversary (or set of adversaries). Forexample, let's assume
you are only worriedabout remote adversaries. If your system ornetwork is
only onne tedtooutsideworldviatheInternet,thentheatta ksurfa eisthe
parts ofyoursystemthat intera t withthingson theInternet, ortheparts of
yoursystemwhi ha eptinputfrom theInternet. Arewall,then,limits the
atta k surfa eto a smaller portion of your systems by ltering some of your
network tra . Often,therewallblo ksallin oming onne tions.
Sometimestheatta ksurfa eispervasive. Forexample,ifyouhaveanetwork-
enabledembedded devi e likeaweb amon yournetwork that hasavulnera-
bilityin itsnetworking sta k,then anythingwhi h ansenditpa ketsmaybe
abletoexploitit. Sin eyouprobably an'txthesoftwareinit,youmustthen
usearewalltoattempttolimitwhat antriggerthebug. Similarly,therewas
abugin Sendmailthat ould beexploited bysending a arefully- raftedemail
throughavulnerableserver. Theinterestingbit hereisthat itmightbeanin-
ternalserverthatwasn'texposedtotheInternet;theexploitwasdata-dire ted
andso ouldbepassedthroughyourinfrastru tureuntilithitavulnerableim-
plementation. That'swhyI onsistentlyuseoneimplementation(notSendmail)
throughoutmynetwork now.
IfpluggingaUSBdriveinto yoursystem ausesitto automati allyrunthings
likeastandardMi rosoftWindowsXPinstallation,thenanyplugged-indevi e
ispartof theatta ksurfa e. Butevenifit doesnot,then bypluggingaUSB
devi einyou ouldpotentiallyoverowthe odewhi hhandlestheUSBorthe
driverfortheparti ulardevi ewhi hisloaded;thus,theUSBnetworking ode
intothesystem.
MalwareDistributionthroughPhysi alMediaaGrowingCon ern(http://
it.slashdot.org/arti le.pl?sid=08/01/13/1533243)
usbroken,aUSBfuzzerbasedonArduino(http:// ode.google. om/p/
usbroken/)
S hneierHa kingComputersoverUSB(http://www.s hneier. om/blog/
ar hives/2006/06/ha king_ ompute.html)
USBDevi es anCra kWindows(http://www.eweek. om/ /a/Se urity/
USB-Devi es-Can-Cra k-Windows/)
psgroove, a jailbreak exploit for PS3 (http://github. om/psgroove/
psgroove)
Moreover,are entvulnerability(http://it.slashdot.org/it/08/01/14/1319256.
shtml)illustratesthatwhenyouhavesomethingwhi hinspe tsnetworktra ,
su hasuPNPdevi esorportkno kingdaemons,thentheir odeformspartof
theatta ksurfa e.
Sometimesyouwillhearpeopletalkabouttheanonymousatta ksurfa e;thisis
theatta ksurfa eavailabletoeveryone(ontheInternet). Sin ethisnumberof
peopleissolarge,andyouusually an'tidentifythemorpunishthem,youwant
tobereallysurethattheanonymousatta ksurfa eislimitedanddoesn'thave
anyso- alledpre-auth vulnerabilities,be ausethose anbeexploited priorto
identi ationandauthenti ation.
7.6 Atta k Trees
Thenext logi alstepis to movefrom dening theatta k surfa eto modeling
atta ksandquantifyrisklevels.
WikipediaonAtta kTree(http://en.wikipedia.org/wiki/Atta k_tree)
S hneieronAtta kTrees(http://www.s hneier. om/paper-atta ktrees-ddj-ft.
html)
https://buildse urityin.us- ert.gov/daisy/bsi/arti les/best-pra ti es/
requirements/236.html
Mi rosoftonAtta kTrees(http://msdn.mi rosoft. om/en-us/library/
ff648644.aspx)
Amdahl's law, also known as Amdahl's argument, is named after
omputerar hite tGeneAmdahl,andisusedtondthemaximum
expe ted improvementto an overall system when only partof the
systemisimproved.
Wikipedia(http://en.wikipedia.org/wiki/Amdahl%27s_law)
Youaretheweakestlink,goodbye!
The Weakest Link (TVseries)
Let us think of our se urity posture for whatever we're prote ting as being
omposedofanumberofsystems(orgroupsofsystemspossiblyoeringdefense-
in-depth). Thestrengthofthesesystemstoatta kmayvary. Youmaywishto
pour all your resour esinto one, but these urity will likely be brokenat the
weakestpoint,eitherby han e orbyanintelligentadversary.
Thisisananalogyto Amdahl'slaw,statedabove,inthat we anonlyin rease
ouroverallse urityposturebymaintainingadeli atebalan ebetweenthedif-
ferentdefensestoatta kve tors.Mostofthetime,yourresour esarebestspent
ontheweakestarea,whi hforsomeinstitutions(nan ial,military)isusually
personnel.
Thereasonsyoumightnotbalan eallse uritysystemsmayin lude:
E onomi s matter here; it may be mu h heaperand reliable to buy are-
wallthanputyouremployeesthroughse uritytraining. Softwarese urity
measuressometimeshavezeromarginal ost,buthardwarealmostalways
hasamarginal ost.
Exposure ae tsyourrisk al ulations;anInternetatta kismu hmorelikely
thanaphysi alatta k, soyoumayput moreeortintoInternetdefense
thanphysi aldefense.
Capability impliesin that organizationshavevaryingabilities. Forexample,
the military may simply make arrying a thumb drive into the fa ility
a punishable oense, but a ommer ial organization may nd that too
di ultorunpopulartoenfor e. An Internet ompany,by ontrast,may
haveastrong te hni al apability, andso might hoose towrite software
topreventtheuseofthumb drives.
8 Physi al Se urity
Whenpeoplethinkofphysi alse urity,theseoftenarethelimitonthestrength
ofa ess ontroldevi es; I re allastoryofa atburglarwhouseda hainsaw
to utthroughvi tim'swalls,bypassinganya ess ontroldevi es. Iremember
se urity.
Wikipediaarti leonPhysi alSe urity(http://en.wikipedia.org/wiki/
Physi al_se urity)
8.1 No Physi al Se urity Means No Se urity
Whilethelo ksaregettingtougher,thedoorandframearegetting
weaker. Awell-pla edki kusually doesthetri k.
aburglar
A ouple of limitations ome up without physi al se urity for a system. For
ondentiality,allofthesensitivedata needstobeen rypted. Butevenifyou
en ryptthe data, anadversarywith physi al a ess ould trojan the OS and
apturethedata(thisisa ontrolatta know,notjust ondentialitybrea h;go
thisfarandyou'veprote tedagainstovertseizure,theft,improperdisposaland
su h). Soyou'llneedtoyouprote tthe ondentialityandintegrityoftheOS,
hetrojans thekernel. Ifyouprote tthekernel,hetrojans thebootloader. If
youprote tthebootloader(saybyputtingonaremovablemedium),hetrojans
theBIOS.Ifyouprote ttheBIOS,hetrojanstheCPU.Soyouput atamper-
evidentlabelonit,with yoursignature onit,and he kiteverytime. Buthe
aninstallakeyboardlogger. Sosupposeyoumakeasealedboxwitheverything
in it, and onne tors onthe front. Now he gets measurements and photos of
your ma hine, spends a fortune repli ating it, repla es your system with an
outwardly identi al one of his design (the trojan box), whi h ommuni ates
(say, viaen rypted spread-spe trumradio) to your real box. Whenyou type
plaintext, itgoesthroughhis system, getslogged, andrelayedto your system
askeystrokes. Sin eyoutalkplaintext, neitherofyouarethewiser.
The physi al layer is a ommon pla e to fa ilitate a side- hannel atta k (see
31.2).
8.2 Data Remanen e
Iknowwhat your omputerdidlastsummer.
Data remanen e is the the residual physi al representation of your informa-
tiononmediaafter youbelievethatyouhaveremovedit (denitionthanksto
Wikipedia,http://en.wikipedia.org/wiki/Data_remanen e). Thisisadis-
putedregionofte hnology,withagreatdealofspe ulation,self-styledexperts,
butverylittlehards ien e.
Systems(Ver.209/91)(http://www.fas.org/irp/nsa/rainbow/tg025-2.
htm)
NationalSe urityAgen y/CSSDegausserProdu tsList25Sep2001 (http://
www.fas.org/irp/nsa/degausse.pdf)
LasttimeIlookedmostofthedegaussersrequire220Vpowerandmaynotwork
onharddrives,duetotheirhigh oer ivity.
As of 2006, the most denitivestudy seems to be the NISTComputer Se u-
rityDivisionpaperGuidelinesforMediaSanitization(http:// sr .nist.gov/
publi ations/nistpubs/800-88/NISTSP800-88_rev1.pdf). NIST is known
toworkwith theNSAonsometopi s, and thismaybeoneofthem. It intro-
du essomeusefulterminology:
disposing isthea tofdis ardingmediawithnoother onsiderations
learing isalevelof mediasanitizationthat resistsanythingyou oulddoat
the keyboard or remotely, and usually involves overwriting the data at
leaston e
purging isapro essthatprote tsagainstalaboratoryatta k(signalpro ess-
ingequipmentandspe iallytrainedpersonnel)
destroying is theultimate form of sanitization,and meansthat themedium
annolongerbeusedasoriginallyintended
8.2.1 Magneti StorageMedia (Disks)
The seminal paper on this is Peter Gutmann's Se ure Deletion of Data from
Magneti andSolid-StateMemory(http://www. s.au kland.a .nz/~pgut001/
pubs/se ure_del.html). Inearlyversionsofhispaper,hespe ulatedthatone
ould extra t data due to hysteresisee ts even after a single overwrite, but
onsubsequentrevisionshestatedthattherewasnoeviden easingleoverwrite
wasinsu ient. SimsonGarnkelwroteaboutitre entlyinhisblog(https://
www.te hreview. om/blog/garfinkel/17567/).
The NIST paper has some interesting tidbits in it. Obviously, disposal an-
not prote t ondentiality of unen rypted media. Clearing is probably su-
ientse urityfor 99%ofalldata; I highlyre ommend Darik'sBoot and Nuke
(http://dban.sour eforge.net/), whi h is a bootable oppy or CD based
onLinux. However, it annot work ifthe storage devi e stops working prop-
erly,and itdoesnotoverwritese tors ortra ksmarkedbad andtransparently
relo ated by the drive rmware. With all ATA drives over 15GB, there is
a se ure delete ATA ommand whi h an be a essed from hdparm within
Linux, and Gordon Hughes has some interesting do uments and a Mi rosoft-
based utility (http:// mrr.u sd.edu/people/Hughes/Se ureErase.shtml).
se ure-erase-data-se urity-you-already-own/). Inthe aseofverydam-
ageddisks, youmayhavetoresorttophysi aldestru tion. However,withdisk
densities being what they are, even 1/125 of a disk platter may hold a full
se tor,andsomeonewithabsurdamountsofmoney ouldtheoreti allyextra t
smallquantitiesofdata. Fortunately,nobody aresthismu haboutyourdata.
Now,youmaywonderwhatyou andoaboutverydamageddisks,orwhattodo
ifthemediaisn'tonline(forexample,youburieditinanundergroundbunker),
orifyouhavetogetridofthedatafast. Iwouldsuggestthaten ryptedstorage
(see28.7)would almost alwaysbeagoodidea. Ifyouuseit, youmerelyhave
to prote t the ondentiality of the key, and if you an properly sanitize the
media,all thebetter. Re ently SimsonGarnkelre-dis overedate hniquefor
gettingthedataobrokendrives;freezingthem. Anotherte hniquethatIhave
usedistorepla ethelogi boardwithonefrom aworkingdrive.
Hard drive's data survives shuttle explosion (http://blo ksandfiles.
om/arti le/5056)
GermanrmprobesnalWorldTradeCenterdeals(http://www.prisonplanet.
om/german_firm_probes_final_world_trade_ enter_deals.htm)
Wikipedia entry on Data Re overy (http://en.wikipedia.org/wiki/
Data_re overy)
200waystore overyourdata(http://btjunkie.org/torrent/200-Ways-To-Re over-Revive-Your-Hard-Drive/
4358 d27083f53a0d4d 3a7e 8354d22b61574534 96)
DataRe overyblog(http://datare overy-hddre overy.blogspot. om/)
8.2.2 Semi ondu torStorage (RAM)
Peter Gutmann's Data Remanen e in Semi ondu tor Devi es (http://www.
ypherpunks.to/~peter/usenix01.pdf) shows that if a parti ular value is
held in RAM for extended periods of time, various pro esses su h asele tro-
migrationmakepermanent hangesto thesemi ondu tor's stru ture. Insome
ases,itispossibleforthevaluetobeburnedin tothe ell,su hthatit annot
holdanothervalue.
Cold Boot Atta k Re ently aPrin eton team (http:// itp.prin eton.
edu/memory/)foundthat thevaluesheld in DRAM de ay inpredi table ways
afterpowerisremoved,su hthatone anmerelyrebootthesystemandre over
keys formost en rypted storage systems(http:// itp.prin eton.edu/pub/
oldboot.pdf). By oolingthe hip rst,this dataremainslonger. This gen-
eratedmu htalkin theindustry. Thispromptedaninterestingoverviewofat-
ta ksagainsten rypted storagesystems(http://www.news. om/8301-13578_
3-9876060-38.html).
12/bbtv-ha ker-howto- o.html)
Dire tMemoryA ess Itturnsoutthat ertainperipheraldevi es,notably
Firewire,havedire tmemorya ess.
This means that you an plug something into the omputer and read data
dire tlyoutofRAM.
Thatmeansyou anread passwordsdire tlyoutofmemory:
http://storm.net.nz/proje ts/16
ReadingRAM WithA Laser
On A New Way to Read Data from Memory (http://www. l. am.a .
uk/~rja14/Papers/SISW02.pdf)
8.3 Smart Card Atta ks
Thisse tiondeservesgreatexpansion.
InsteadI'llpuntandpointyouatthelatestUSENIX onferen eonthis:
Usenix CARDIS02 (http://www.usenix.org/publi ations/library/
pro eedings/ ardis02/te h.html)
9 Hardware Se urity
9.1 Introdu tion
Hardwarese urityisatermIinventedtodes ribethese uritymodelsprovided
byaCPU(http://en.wikipedia.org/wiki/Central_pro essing_unit),as-
so iated hipset(http://en.wikipedia.org/wiki/Chipset)andperipheralhard-
ware. Theassumptionhereisthattheadversary an reateandexe uteprogram
ode of his own hoosing, possibly as an administrator (root). As omputer
hardwareandrmware(http://en.wikipedia.org/wiki/Firmware)be omes
more omplex, there willbemoreand morevulnerabilitiesfoundin it, so this
se tionislikelytogrowovertime.
Ea h omputer hardware ar hite ture is going to have its own se urity mod-
els, so this dis ussion is going to be spe i to the hardware platform under
onsideration.
Mostmodern omputersystemshaveat leasttwomodesof operation; normal
operation and privileged mode. The vast majority of software runs in normal
mode, and the operating system, ormorea urately the kernel, runs in priv-
ileged mode. Similarly, most of the fun tionality of the CPU is available in
normalmode, whereas asmall but signi ant portion, su h asthat related to
memorymanagementand ommuni atingwith hardware, is restri tedto that
operatingin privilegedmode.
SomeCPUar hite tures,gofartheranddeneaseriesofhierar hi alprote tion
domains that are often alled prote tion rings (http://en.wikipedia.org/
wiki/Ring_( omputer_se urity)). Thisisasimpleextrapolationofthetwo-
levelnormal/privilegedmodeintomultiplelevels,orrings.
9.3 Operating Modes
TheIntelar hite turesinparti ularhasseveraloperatingmodes. Thesearenot
privilegerings,butratherrepresentthestatethattheCPUisin,whi hae ts
howvariousinstru tionsare interpreted
Real-addressmode(http://en.wikipedia.org/wiki/Real_mode)
Prote tedMode(http://en.wikipedia.org/wiki/Prote ted_mode)
System Management Mode (http://en.wikipedia.org/wiki/System_
Management_Mode)
Virtual8086Mode(http://en.wikipedia.org/wiki/Virtual_8086_mode)
9.4 NX bit
The NX bit, whi h stands for No eXe ute, is a te hnology used
in CPUs to segregateareas ofmemory foruse byeither storageof
pro essor instru tions (or ode) or for storage of data, a feature
normally onlyfound in Harvard ar hite turepro essors. However,
theNXbitisbeingin reasinglyusedin onventionalvonNeumann
ar hite turepro essors,forse urityreasons.
AnoperatingsystemwithsupportfortheNXbitmaymark ertain
areasofmemoryasnon-exe utable. Thepro essorwillthen refuse
toexe uteany oderesidingin theseareasofmemory. Thegeneral
te hnique,knownasexe utablespa eprote tion,isusedtoprevent
ertain typesof mali ious software from taking over omputersby
inserting their ode into another program's data storage area and
runningtheirown odefrom within thisse tion;thisis knownasa
bueroverowatta k.
Wikipediaentryon NXbit (http://en.wikipedia.org/wiki/NX_bit)
9.5 Supervisors and Hypervisors
SupervisoryProgram(http://en.wikipedia.org/wiki/Supervisory_program)
Hypervisor (http://en.wikipedia.org/wiki/Hypervisor)
9.6 Trusted Computing
TrustedPlatformModule(http://en.wikipedia.org/wiki/Trusted_Platform_
Module)
TrustedComputing: TheMother(board)ofAllBigBrothers (http://www.
ypherpunks.to/TCPA_DEFCON_10.pdf)
Trusted Computing Group (http://en.wikipedia.org/wiki/Trusted_
Computing_Group)
IntelTCPAOverview(http://yuan.e om. mu.edu/trust/ d/Presentations/
Intel%20TCPA%20Overview.ppt)
TrustedComputingGrouphomepage(http://www.trusted omputinggroup.
org/)
EFF: TrustedComputing: Promise andRisk (http://www.eff.org/wp/
trusted- omputing-promise-and-risk)
RossAnderson'sTCPAFAQ(http://www. l. am.a .uk/~rja14/t pa-faq.
html)
FSF:CanYouTrustTrustedComputing(http://www.gnu.org/philosophy/
an-you-trust.html)
OpenTCproje t (http://www.opent .net/)
IBMTCPA Group (http://www.resear h.ibm. om/gsal/t pa/)
InneonTPM hipha ked(http://www.flylogi .net/blog/?tag=infineon)
Not really aba kdoor, but thewake-on-lanand remotemanagement fa ilities
ouldbeusedbyanatta ker.
IntelvPro(http://en.wikipedia.org/wiki/Intel_vPro)
Big Brother Potentially Exists Right Now (http://www.tgdaily. om/
hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-p s- ompliments-of-intels-vpr)
(note: heiswrongaboutwhat ECHELONis)
9.8 Hardware Vulnerabilities and Exploits
f00f bug (http://en.wikipedia.org/wiki/F00f)
CyrixComa Bug (http://en.wikipedia.org/wiki/Cyrix_ oma_bug)
Using CPU System Management Mode to Cir umvent Operating System
Se urityFun tions (http://www.ssi.gouv.fr/fr/s ien es/fi hiers/
lti/ anse west2006-duflot-paper.pdf)
Atta kingSMMMemoryviaIntelCPUCa hePoisoning(http://theinvisiblethings.
blogspot. om/2009/03/atta king-smm-memory-via-intel- pu.html)
Atta king IntelTrustedExe utionTe hnology (http://www.bla khat.
om/presentations/bh-d -09/Wojt zuk_Rutkowska/Bla kHat-DC-09-Rutkowska-Atta king-Intel-TXT-slides.
pdf)
Blue Pill (http://en.wikipedia.org/wiki/Blue_Pill_(malware))
SMM Rootkits: A NewBreedof OSIndependent Malware (http://www.
ee s.u f.edu/%7E zou/resear h/SMM-Rootkits-Se ure om08.pdf)
SubvertingtheXenHypervisor(http://invisiblethingslab. om/resour es/
bh08/)
TPM ResetAtta k (http://www. s.dartmouth.edu/~pkilab/sparks/)
10 Distributed Systems
10.1 Network Se urity Overview
Thethings involvedin network se urityare alled nodes. One antalk about
networks omposedofhumans(so ialnetworks),butthat'snotthekindofnet-
workwe'retalkingabouthere;Ialwaysmeana omputerunlessIsayotherwise.
Often in network se uritythe adversaryis assumed to ontrol the network in