• No results found

f prate = abrat ∗ f pchance

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "f prate = abrat ∗ f pchance"

Copied!
246
0
0

Loading.... (view fulltext now)

Download now ( 246 Page )

Full text

(1)

travis+se uritysubspa eeld.org

January26, 2015

Abstra t

Thisisanonlinebookabout omputer,network, te hni al, physi al,

informationand ryptographi se urity. Itis alabor oflove, in omplete

untilthedayIamnished.

Contents

1 Metadata 11

1.1 CopyrightandDistributionControl. . . 12

1.2 Goals . . . 12

1.3 Audien e . . . 12

1.4 AboutThisWork . . . 13

1.5 OntheHTMLVersion . . . 13

1.6 AboutWritingThis . . . 13

1.7 ToolsUsedToCreateThis Book . . . 14

2 Se urity Properties 14 2.1 Information Se urityisaPAIN . . . 15

2.2 ParkerianHexad . . . 15

2.3 PentagonofTrust . . . 16

2.4 Se urityEquivalen y . . . 16

2.5 Other Questions . . . 16

3 Se urity Models 16

(2)

4.1 TheClassi ationProblem . . . 17

4.2 Se urityLayers . . . 19

4.3 PrivilegeLevels . . . 20

4.4 WhatisaVulnerability? . . . 21

4.5 VulnerabilityDatabases . . . 21

4.6 A ura yLimitations. . . 23

4.7 Ri e'sTheorem . . . 23

5 E onomi sof Se urity 23 5.1 HowExpensiveareSe urityFailures? . . . 23

5.2 Abuse Dete tionandResponse: ACost-BenetPerspe tive . . . 26

6 Adversary Modeling 27 6.1 CommonPsy hologi alErrors. . . 28

6.2 Cost-Benet . . . 28

6.3 RiskToleran e . . . 28

6.4 Capabilities . . . 29

6.5 Sophisti ation Distribution . . . 29

6.6 Goals . . . 29

7 Threat Modeling 29 7.1 CommonPlatformEnumeration . . . 30

7.2 A TaxonomyofPriva yBrea hes . . . 30

7.3 ThreatstoSe urityProperties . . . 31

7.4 QuantifyingRisk . . . 32

7.5 Atta kSurfa e . . . 32

7.6 Atta kTrees . . . 33

7.7 TheWeakestLink . . . 34

8 Physi al Se urity 34 8.1 NoPhysi alSe urityMeansNoSe urity . . . 35

8.2 DataRemanen e . . . 35

8.3 SmartCardAtta ks . . . 38

(3)

9.1 Introdu tion. . . 38

9.2 Prote tion Rings . . . 39

9.3 OperatingModes . . . 39

9.4 NX bit . . . 39

9.5 SupervisorsandHypervisors. . . 40

9.6 TrustedComputing. . . 40

9.7 IntelvPro . . . 41

9.8 HardwareVulnerabilitiesand Exploits . . . 41

10DistributedSystems 41 10.1 NetworkSe urityOverview . . . 41

10.2 NetworkA essControl . . . 42

10.3 NetworkRe onnaissan e . . . 43

10.4 NetworkIntrusionDete tionandPrevention. . . 44

10.5 CryptographyistheSineQuaNonofSe ureDistributedSystems 44 10.6 Hello,MyNameis192.168.1.1 . . . 45

10.7 Sour e Tapping;TheFirstHopandLastMile . . . 45

10.8 Se urityEquivalentThingsGoTogether . . . 46

10.9 ManInTheMiddle. . . 46

10.10NetworkSurveillan e . . . 48

10.11Pushvs. PullUpdates . . . 48

10.12DNSIssues . . . 48

10.13NetworkTopology . . . 48

11Identi ationand Authenti ation 49 11.1 Identity . . . 49

11.2 IdentityManagement. . . 49

11.3 TheIdentityContinuum . . . 50

11.4 ProblemsRemainingAnonymous . . . 51

11.5 ProblemswithIdentifyingPeople . . . 51

11.6 WhatAuthority? . . . 51

(4)

11.8 Authenti ationFa tors . . . 52

11.9 Authenti ators . . . 52

11.10Biometri s. . . 56

11.11Authenti ationIssues: When,What . . . 56

11.12RemoteAttestation. . . 57

11.13Advan ed Authenti ationTools . . . 58

12Authorization -A ess Control 58 12.1 PrivilegeEs alation . . . 58

12.2 Physi al A essControl . . . 59

12.3 OperatingSystemA essControl . . . 59

12.4 Appli ationAuthorizationDe isions . . . 60

12.5 IPTables,IPChains,Netlter . . . 65

12.6 PF . . . 65

12.7 Keynote . . . 65

13Se ureSystemAdministration 65 13.1 Ba kups . . . 65

13.2 Monitoring . . . 66

13.3 Visualization . . . 66

13.4 ChangeManagement . . . 66

13.5 Self-HealingSystems . . . 67

13.6 Heterogeneousvs. HomogeneousDefenses . . . 67

14Logging 67 14.1 Syn hronizedTime . . . 67

14.2 Syslog . . . 68

14.3 Cryptographi allyUntamperableLogs . . . 68

15Reporting 68 15.1 ChangeReporting . . . 68

15.2 Arti ialIgnoran e . . . 68

15.3 DeadMan'sSwit h . . . 69

(5)

16.1 Physi al IntrusionDete tion. . . 69

16.2 MisuseDete tionvs. AnomalyDete tion . . . 70

16.3 ComputerImmuneSystems . . . 70

16.4 Behavior-BasedDete tion . . . 70

16.5 HoneyTraps . . . 71

16.6 TripwiresandBoobyTraps . . . 71

16.7 MalwareandAnti-Malware . . . 72

16.8 Dete tingAutomated Peers . . . 74

16.9 Host-BasedIntrusionDete tion . . . 75

16.10IntrusionDete tionPrin iples . . . 76

16.11IntrusionInformation Colle tion . . . 77

17Abuse Response 77 17.1 Abuse Alerting . . . 78

17.2 Howto RespondtoAbuse . . . 79

17.3 Identi ationIssues . . . 83

17.4 Resour eConsumptionDefenses . . . 83

17.5 ProportionalResponse . . . 84

18Forensi s 85 18.1 Forensi Limitations . . . 85

18.2 RemnantData . . . 86

18.3 EphemeralData . . . 86

18.4 RemnantData . . . 86

18.5 HiddenData . . . 86

18.6 Metadata . . . 86

18.7 Lo atingEn ryptionKeysandEn ryptedData . . . 86

18.8 Forensi Inferen e. . . 87

19Priva y 87 19.1 Mix-BasedSystems. . . 87

19.2 Distros. . . 88

(6)

20.1 ResponsetoWormsandHumanPerpetrators . . . 88

20.2 ResponsetoMalware. . . 89

21Network Se urity 89 21.1 TheCurrentStateofThings . . . 89

21.2 Tra Identi ation . . . 90

21.3 Brute-For eDefenses . . . 92

21.4 FederatedDefense . . . 92

21.5 VLANsAreNotSe urityTe hnologies . . . 92

21.6 Advan ed NetworkSe urityTe hnologies . . . 92

22EmailSe urity 93 22.1 Unsoli itedBulkEmail. . . 93

22.2 Phishing . . . 96

22.3 Frameworks . . . 96

23Web Se urity 96 23.1 Dire tBrowserAtta ks . . . 96

23.2 Indire t BrowserAtta ks. . . 97

23.3 WebAppli ationVulnerabilities . . . 99

23.4 RelevantStandards. . . 99

23.5 CrawlerAtta ks . . . 99

23.6 SSLCerti atesMadeRedundant . . . 100

24Software Se urity 100 24.1 Se urityisaSubsetofCorre tness . . . 100

24.2 Se ure Coding. . . 100

24.3 Malwarevs. Data-Dire tedAtta ks. . . 101

24.4 LanguageWeaknesses . . . 101

24.5 ReverseEngineering . . . 103

24.6 Appli ationExploitation . . . 104

24.7 Appli ationExploitationDefenses . . . 105

(7)

24.9 FailureModes. . . 107

24.10FaultToleran e . . . 108

24.11Impli ationsofIn orre tness . . . 108

25Human Fa tors and Usability 108 25.1 ThePsy hologyofSe urity . . . 108

25.2 So ialEngineering . . . 109

25.3 Se urityShouldBe Obvious,andtheDefault . . . 109

25.4 Se urityShouldBe EasytoUse . . . 109

25.5 NoHiddenData . . . 109

26Atta k Patterns 110 26.1 Atta kTaxonomy. . . 110

26.2 Atta kProperties. . . 110

26.3 Atta kCy le . . . 111

26.4 CommonAtta kPatternEnumerationandClassi ation. . . 112

27Trust and Personnel Se urity 112 27.1 TrustandTrustworthiness . . . 112

27.2 Who orWhatAreYouTrusting? . . . 113

27.3 CodeProvenan e . . . 114

27.4 TheIn ompeten eDefense. . . 115

27.5 LimitingDamageCausedbyTrustedPeople . . . 115

28Cryptography 116 28.1 ThingsToKnowBeforeDoingCrypto . . . 116

28.2 LimitsofCryptography . . . 120

28.3 Cryptographi Algorithms . . . 123

28.4 Cryptographi AlgorithmEnhan ements . . . 128

28.5 Cryptographi Combinations . . . 137

28.6 Cryptographi Proto ols . . . 140

28.7 En ryptedStorage . . . 144

28.8 Deniable Storage . . . 147

28.9 Key Management . . . 148

28.10Cryptographi Standards . . . 155

(8)

29.1 TypesofRandomNumberGenerators . . . 158

29.2 Pseudo-RandomNumberGenerators . . . 158

29.3 An IdealRandomNumberGenerator. . . 158

29.4 Denitions ofUnpredi tability . . . 159

29.5 Denitions ofRandomness. . . 159

29.6 TypesofEntropy . . . 160

29.7 WhyEntropyandUnpredi tabilityAreNottheSame . . . 162

29.8 Unpredi tabilityistheSineQuaNonofCryptography . . . 163

29.9 Unpredi tabilityisNot Provable . . . 163

29.10RandomlyGeneratedSamples. . . 164

29.11TestingSamplesForPredi tability . . . 164

29.12TestingNoise Sour es . . . 164

29.13Waysto Fail. . . 165

29.14Sour esofUnpredi tability . . . 166

29.15TheLawsofUnpredi tability . . . 169

30Cryptanalysis 172 30.1 Cryptographi Atta kPatterns . . . 172

30.2 A PrioriKnowledge . . . 173

30.3 LengthExtensionAtta ks . . . 174

30.4 HashCollisions . . . 174

30.5 PKCSPaddingOra leAtta k . . . 175

30.6 CryptanalysisofRandomNumberGenerators . . . 177

30.7 CryptanalysisofWirelessProto ols. . . 178

31Lateral Thinking 178 31.1 Tra Analysis . . . 179

31.2 Side Channels . . . 179

(9)

32.1 Intelligen eJargon . . . 185

32.2 ControllingInformationFlow . . . 186

32.3 LabelingandRegulations . . . 186

32.4 KnowledgeisPower . . . 188

32.5 Se re yisPower . . . 188

32.6 NeverConrmGuesses. . . 189

32.7 WhatYouDon'tKnowCanHurt You . . . 189

32.8 HowSe re yisLost . . . 190

32.9 CostsofDis losure . . . 190

32.10Dissemination . . . 191

32.11Information,Misinformation,Disinformation . . . 191

33Coni t and Combat 192 33.1 Indi atorsandWarnings . . . 192

33.2 Atta ker'sAdvantagein Network Warfare . . . 193

33.3 Defender's AdvantageinNetworkWarfare . . . 193

33.4 OODALoops . . . 194

33.5 CoursesofA tion . . . 195

34Se urity Prin iples 195 34.1 ThePrin iple ofLeast Privilege . . . 195

34.2 ThePrin iple ofAgility . . . 196

34.3 ThePrin iple ofMinimal Assumptions . . . 198

34.4 ThePrin iple ofFail-Se ureDesign . . . 199

34.5 ThePrin iple ofUnique Identiers . . . 200

34.6 ThePrin iplesofSimpli ity . . . 201

34.7 ThePrin iple ofDefense inDepth . . . 202

34.8 ThePrin iple ofUniform Fronts . . . 202

34.9 ThePrin iple ofSplitControl . . . 203

34.10ThePrin iple ofMinimal Changes . . . 205

34.11ThePrin iple ofCentralizedManagement . . . 205

(10)

34.13ThePrin iple ofRemovingEx uses . . . 207

34.14ThePrin iple ofUsability . . . 207

34.15ThePrin iple ofRetaining Control . . . 207

34.16ThePrin iple ofPersonality . . . 209

34.17ThePrin iple ofLeast CommonMe hanism . . . 209

34.18ThePrin iple ofPra ti e . . . 210

34.19Work Fa tor Cal ulation. . . 210

34.20AvailabilityPrin iples . . . 211

35Common Arguments 211 35.1 Dis losure: Full,Partial,orNone? . . . 211

35.2 Absolutevs. Ee tiveSe urity . . . 216

35.3 Quanti ationandMetri svs. Intuition . . . 218

35.4 Se urityThroughObs urity . . . 219

35.5 Se urityofOpenSour evs. ClosedSour e. . . 220

35.6 InsiderThreatvs. OutsiderThreat . . . 221

35.7 Preventionvs. Dete tion. . . 223

35.8 Auditvs. Monitoring. . . 225

35.9 Earlyvs. LateAdopters . . . 225

35.10SendingHTMLEmail . . . 226

36Editorials,Predi tions, Polemi s,and PersonalOpinions 226 36.1 SoYouThinkYou'reOldS hool?. . . 226

36.2 Se urityisforPolymaths . . . 227

36.3 A ProposedPerimeterDefense . . . 228

36.4 LinearOrderPlease! . . . 229

36.5 ComputersareTrans endingourLimitations . . . 229

36.6 PasswordLengthLimitsConsideredHarmful . . . 230

36.7 EverythingWillBe En ryptedSoon . . . 230

36.8 HowUniversalDigitalSigningWillAe tThings . . . 231

36.9 Error PropagationChara teristi sUsuallyDon'tMatter . . . 231

(11)

36.11ShouldMyEmployees AttendHa kerConferen es? . . . 234

36.12ShouldYouSellOut? . . . 234

36.13AnonymityisnotaCrime . . . 236

36.14MonitoringYourEmployees . . . 237

36.15TrustPeople inSpiteofCounterexamples . . . 237

36.16DoWhatI Meanvs. DoWhatISay . . . 238

36.17YouArePartoftheProblemifYou... . . 239

36.18WhatDoI Doto NotGetHa ked? . . . 239

37Resour es 240 37.1 MyOtherStu . . . 240

37.2 Publi ations . . . 240

37.3 Conferen es . . . 240

37.4 Books . . . 241

37.5 Periodi als. . . 242

37.6 Blogs. . . 242

37.7 MailingLists . . . 243

37.8 ComputerSe urityMovies. . . 244

38Unsorted 244

39Credits 246

1 Metadata

Thebooksthat helpyoumostarethose whi h makeyouthink the

most. The hardest way of learningis that of easy reading; but a

great book that omes from a great thinker is a ship of thought,

deepfreightedwithtruthandbeauty.

TheodoreParker

(12)

Kindlylinkapersontoitinsteadofredistributingit,sothatpeoplemayalways

re eivethelatestversion. However,evenanoutdated opyisbetterthannone.

The PDF version is preferred and more likely to render properly (espe ially

graphi sandspe ialmathemati al hara ters),buttheHTMLversionissimply

too onvenienttonothaveitavailable. Thelatestversionisalwayshere:

http://www.subspa eeld.org/se urity/se urity_ on epts.html

Thisisa opyrightedwork,withsomerightsreserved. Thisworkisli ensedun-

dertheCreativeCommonsAttribution-Non ommer ial-NoDerivativeWorks 3.0UnitedStatesLi ense.

Thismeansyoumayredistributeitfornon- ommer ialpurposes,andthatyou

mustattributemeproperly(withoutsuggestingIendorseyourwork). Forattri-

bution,pleasein ludeaprominentlinkba ktothisoriginalworkandsometext

des ribingthe hanges. I am omfortable with ertain derivative works,su h

astranslationinto otherlanguages,butnotsureaboutothers,so haveyet not

expli itlygrantedpermissionforallderivativeuses. Ifyouhaveanyquestions,

pleaseemailmeandI'llbehappytodis ussitwithyou.

1.2 Goals

Iwrotethispapertotryandexaminethetypi alproblemsin omputerse urity

and related areas,and attempt to extra t from them prin iples for defending

systems. To this end I attempt to synthesize various elds of knowledge, in-

luding omputerse urity,networkse urity, ryptology,andintelligen e. Ialso

attempt to extra t theprin iples and impli it assumptions behind ryptogra-

phy and theprote tion of lassiedinformation, asobtained throughreverse-

engineering(thatis,informedspe ulationbasedonexistingregulationsandstu

Ireadin books),where theyarerelevanttote hnologi alse urity.

1.3 Audien e

When I pi ture a perfe t reader, I always pi ture a monster of

ourage and uriosity, also something supple, unning, autious, a

bornadventurerand dis overer.

Friedrei hNietzs he

Thisisnotintendedtobeanintrodu torytext,althoughabeginner ouldgain

somethingfromit. Thereasonbehindthisis that beginners think in termsof

ta ti s,ratherthanstrategy,andofdetails ratherthangeneralities. Thereare

manynebookson omputerandnetworkse urityta ti s(andmanymorenot-

so-nebooks),andta ti s hangequi kly,andbeingunpaidforthiswork,Iam

(13)

attemptedtoextra tabstra t on eptsandstrategieswhi harenotne essarily

tiedto omputerse urity. AndI haveattempted to illustrate the pointswith

interestingand entertaining examplesand would loveto havemore, so if you

anthinkofanexampleforoneofmypoints,pleasesendittome!

I'm writing this for you, noble reader, so your omments are very wel ome;

youwill behelpingme makethis better foreveryfuture reader. If yousend a

ontributionor omment,you'llsavemealotofworkifyoutellmewhetheryou

wishtobementionedinthe redits(see39)ornot;Iwanttorespe tthepriva y

of anonymous ontributors. If you're on erned that wouldbe presumptuous,

don'tbe;I onsiderit onsiderateofyoutosavemeanemailex hange. Se urity

bloggerswillndplentyoffodderbylookingfornewURLsaddedtothispage,

and I en ourage you to do it, sin e I simply don't have time to ommenton

everything I link to. If you link to this paper from your blog entry, all the

better.

1.4 About This Work

Ihavestartedthisbookwithsometerminologyasawaytoframethedis ussion.

ThenIgetintothedetailsofthete hnology. Sin ethisisadequatelyexplainedin

otherworks,thesese tionsaresomewhatleanandmaymerelybealistoflinks.

ThenI get into my primary ontribution, whi h isthe fundamental prin iples

ofse uritywhi hIhaveextra tedfromthete hnologi aldetails. Afterwards,I

summarizesome ommonargumentsthat onesees amongse uritypeople, and

Inishupwithsomeofmypersonalobservationsandopinions.

1.5 On the HTML Version

Sin ethis do ument is onstantlybeingrevised, I suggestthat you startwith

thetableof ontentsand li konthesubje theadingssothatyou anseewhi h

onesyouhavereadalready. IfIaddase tion,itwillshowupasunread. Bythe

timeithasexpiredfromyourbrowser'shistory,itisprobablytimetore-readit

anyway,sin ethe ontentshaveprobablybeenupdated.

Seethe end of this page for the date it wasgenerated (whi h is also the last

updatetime). I urrentlyupdatethisabouton eeverytwoweeks.

Someequationsmayfailto renderin HTML.Thus,youmaywishto viewthe

PDFversioninstead.

1.6 About Writing This

Partofthe hallengewithwritingaboutthistopi isthatwearealwayslearning

and it never seems to settle down, nor does one ever seem to get a sense of

(14)

to-datethanabook,andmore omprehensiveandself- ontainedthanmostweb

pages. Iknowit'suneven;insomeareasit'sjustaheadingwithaparagraph,or

afewlinks,in otherpla esit anbeassmoothlywrittenasabook. Ithought

aboutbreakingitupintomultipledo uments,soI ouldreleaseea hwithmu h

morefanfare,butthat'sjustnotthewayI write,anditmakesitdi ulttodo

asmu h ross-linkingasI'dlike.

Thisistomyknowledgetherstattempttopublish a omputerse uritybook

on the web before printing it, so I have no idea if it will even bepossible to

print it ommer ially. That's okay; I'm not writing for money. I'd like for

the Internet to be the publi library of the

21

st entury, and this is my rst

signi antdonationtothe olle tion. Iamremindedoftheadvi eofastaerin

the omputers ien edepartment,whosaid,dowhatyoulove,andthemoney

willtake areofitself.

Thathavingbeensaid,ifyouwantedtowardstheeort,you anhelpmedefray

the ostsofmaintainingaserverandsu hbyvisitingourdonationpage. Ifyou

would like to donate but annot, you may wait until su h atime asyou an

aordto, andthengivesomethingaway(i.e. payitforward).

1.7 Tools Used To Create This Book

I useLyX,but I'mstill abitof anovi e. I havealove/haterelationshipwith

itandtheunderlying typesettinglanguageLaTeX.

2 Se urity Properties

Whatdowemeanbyse ure? WhenIsayse ure,Imeanthatanadversary an't

makethesystemdosomethingthatitsowner(ordesigner,oradministrator,or

evenuser)didnotintend. Oftenthis involvesaviolation ofageneralse urity

property. Somese uritypropertiesin lude:

ondentiality refersto whether the information in question is dis losed or

remainsprivate.

integrity refers to whether the systems (or data) remain un orrupted. The

oppositeofthisismalleability,whereitispossibleto hangedatawith-

outdete tion,andbelieveitornot,sometimesthisisadesirablese urity

property.

availability is whetherthesystemisavailable whenyouneeditornot.

onsisten y iswhetherthesystembehavesthesameea htimeyouuseit.

(15)

soit an be investigated later. Dire t-re ordele troni voting ma hines

(withnopapertrail)areunauditable.

ontrol is whetherthesystemobeysonlytheauthorizedusersornot.

authenti ation iswhetherthesystem anproperlyidentifyusers. Sometimes,

itisdesirablethatthesystem annotdoso,inwhi h aseitisanonymous

orpseudonymous.

non-repudiation is a relatively obs ure term meaning that if you take an

a tion, you won't be able to deny it later. Sometimes, you want the

opposite, inwhi h aseyouwantrepudiability(plausibledeniability).

Pleaseforgivetheslightdieren einthewaytheyarenamed; whileEnglishis

partlytoblame, these properties arenotentirelyparallel. Forexample, on-

dentialityrefersto information (or inferen esdrawnon su h) just asprogram

refers to an exe utable stored on the disk, whereas ontrol implies an a tive

systemjust aspro essreferstoarunningprogram(as theysay,apro essisa

programinmotion). Also,you an ompromisemydata ondentialitywitha

ompletelypassiveatta ksu hasreadingmyba kuptapes,whereas ontrolling

mysystemisinherentlydete tablesin eitinvolvesintera ting withitin some

way.

2.1 Information Se urity is a PAIN

You an remember the se urity properties of information as PAIN; Priva y,

Authenti ity,Integrity,Non-repudiation.

2.2 Parkerian Hexad

There issomething similar known astheParkerianHexad, dened by Donn

B.Parker,whi h is six fundamental, atomi , non-overlappingattributes of in-

formationthat areprote tedbyinformationse uritymeasures:

1. ondentiality

2. possession

3. integrity

4. authenti ity

5. availability

6. utility

(16)

1. Admissibility(istheremotenodetrustworthy?)

2. Authenti ation(whoareyou?)

3. Authorization(whatareyouallowedto do?)

4. Availability(isthedataa essible?)

5. Authenti ity(isthedatainta t?)

2.4 Se urity Equivalen y

I onsider two obje tsto be se urity equivalent if they are identi al with re-

spe t to the se uritypropertiesunder dis ussion; for pre ision,I may referto

ondentiality-equivalent pie es of information if the sets of parties to whi h

theymay bedis losed (without violating se urity)are exa tly the same(and

onversely, so arethe sets of parties to whi h they may notbe dis losed). In

this ase, I'm dis ussing obje tswhi h, iftreated improperly, ould leadto a

ompromiseofthese uritygoal of ondentiality. OrI ouldsaythattwo ryp-

tosystemsare ondentiality-equivalent,in whi h asetheobje tshelpa hieve

these uritygoal. Tobeperverse,these last twoexamples ouldbe ombined;

iftheinformationintherst examplewasa tuallythekeysfor the ryptosys-

temin these ondexample,then dis losureof therst ouldimpa tthe on-

dentialityof the keys and thus the ondentialityof anythinghandled by the

ryptosystems. Alternately,I ouldrefertoa ess- ontrolequivalen ebetween

tworewallimplementations;inthis ase,Iamdis ussingobje tswhi himple-

ment ase urity me hanism whi h helps us a hievethe se urity goal, su h as

ondentialityofsomething.

2.5 Other Questions

1. Se uretowhom? Awebsite maybese ure(toitsowners)againstunau-

thorized ontrol,butmayemploynoen ryptionwhen olle tinginforma-

tionfrom ustomers.

2. Se ure from whom? A site may be se ure againstoutsiders,but not in-

siders.

3 Se urity Models

Iintendtoexpandthisse tionwhenI havesometime.

ˆ Computer Se urity Models

(17)

ˆ BibaIntegrityModel

ˆ Brewer-NashModel

ˆ Graham-Denning Model

ˆ Take-Grant Model

ˆ Clark-WilsonModel

ˆ Harrison-Ruzzo-UllmanModel

ˆ Non-interferen eModel

RelatedinformationinOperatingSystemA essControl(12.3).

4 Se urity Con epts

Thereisnose urityonthis earth,thereisonlyopportunity.

GeneralDouglasMa Arthur(1880-1964)

These are important on epts whi h appear to apply a rossmultiple se urity

domains.

4.1 The Classi ation Problem

Many timesin se urityyou wish to distinguishbetween lasses ofdata. This

o urs in rewalls, where you want to allow ertain tra but not all, and

in intrusion dete tion where you want to allow benign tra but not allow

mali ioustra , and in operating systemse urity, we wish to allow the user

to runtheirprograms but notmalware(see 16.7). Indoingso, werun into a

numberoflimitationsinvariousdomainsthat deservementiontogether.

4.1.1 Classi ation Errors

False Positives vs. False Negatives, also alled Type I and Type II errors.

Dis ussequalerrorrate(EER)anditsusein biometri s.

A more sophisti ated measure is its Re eiverOperating Chara teristi urve,

see:

ˆ InformationAwareness: A Prospe tive Te hni al Assessment

(18)

InTheBase Rate Falla yand itsImpli ations for Intrusion Dete tion,the au-

thoressentiallypoints outthat there's alot of benign tra foreveryatta k,

andsoeven asmall han e of afalse positivewill qui klyoverwhelmany true

positives. Putanotherway,ifoneoutofevery10,001 onne tionsismali ious,

andthe testhasa 1%falsepositiveerrorrate, thenfor every1real mali ious

onne tionthere 10,000benign onne tions,andhen e100falsepositives.

4.1.3 Test E ien y

Inother ases,youareperfe tly apableofperformingana uratetest,butnot

onallthetra . Youmaywantto applya heaptestwithsomeerrorsonone

side before applying ase ond, more expensive test on the side with errors to

weedthemout. Inmedi ine,thisisdonewithas reening testwhi h haslow

falsenegatives,andthenhaving on entratedthehighriskpopulation,younow

diagnosewithamore omplexpro edurewithalowfalsepositiveratebe ause

you'renowdiagnosingahigh-prevalen epopulation. ThisisdoneinBSDUnix

withpa ket apturingviat pdump,whi huploadsa oarselterintothekernel,

andthenappliesamoreexpensivebutner-grainedtestinuserlandwhi honly

operatesonthepa ketswhi hpassthersttest.

4.1.4 In ompletely-DenedSets

Asfarasthelawsofmathemati srefertoreality,theyarenot er-

tain;andasfarastheyare ertain,theydonotrefertoreality.

Albert Einstein

Stopforamomentandthinkaboutthedi ultyoftryingtolistalltheundesir-

ablethingsthatyour omputershouldn'tdo. Ifyoundyourselfnished,then

askyourself;didyouin ludethatitshouldn'tatta kother omputers? Didyou

in ludethatitshouldn'ttransfer$1000toamaa-runwebsitewhenyoureally

intended to transfer $100 to your mother? Did you in lude that it shouldn't

sendspamtoyouraddressbook? Thelistgoesonand on.

Thus, ifwe hada omplete list of everythingthat wasbad, we'dblo kit and

never haveto worry aboutit again. However,often weeither don't know, or

theset isinnite.

Insome ases,itmaybepossibletodenealistofgoodthings(see34.1);forex-

ample,thelistofprogramsyoumightneedtouseinyourjobmaybesmall,and

sothey ouldbeenumerated. However,itiseasytoimaginewherewhitelisting

wouldbeimpossible;forexample,itwouldbeimpra ti altoenumerateallthe

possiblegood networkpa kets,be ausethere'sjust somanyofthem.

Itisprobablytruethat omputerse urityisinterestingbe auseitisopen-ended;

wesimplydon'tknowahead oftimewhethersomethingisgoodorbad.

(19)

Sooftenwe an'tenumerateallthethingswewouldwanttodo,norallthethings

thatwewouldnotwanttodo. Be auseofthis,intrusiondete tionsystems(see

16)oftensimplyguess;theytryto dete tatta ksunknowntothembylooking

forfeatures that arelikely to be present in exploits but notin normal tra .

At the urrentmoment, you annd out ifyourtra is passingthroughan

IPSbytryingtosendalongstringof0x90o tets(x86NOPs)inasession. This

isn'tmali iousbyitself,butisa ommonletterwithwhi hpeoplepadexploits

(see 24.6). In this ase, it's a great example of a false positive, or ollateral

damage,generatedthroughguilt-by-asso iation;there's nothinginherently bad

about NOPs, it's just that exploit writers use them a lot, and IPS vendors

de ided that made them suspi ious. I'm nota big fan of these be ause I feel

thatitbreaksfun tionalitythatdoesn'tthreatenthesystem,andthat it ould

be used as eviden e of malfeasan e against someone by someone whodoesn't

really understand the te hnology. I'm already irritated by the false-positives

orex essivewarningsaboutse uritytoolsfromanti-virussoftware;itseemsto

alertto potentially-unwantedprograms anabsurd amountofthetime; most

novi esdon'tunderstandthattheanti-virussoftwarereadsthediskeventhough

I'mnotrunning theprograms,and that youhavenothingto fearifyoudon't

runtheprograms. I fearthat oneday myInternetServi e Providerwill start

ltering them out of my email ornetwork streams, but fortunately they just

don't arethat mu h.

4.2 Se urity Layers

Iliketothinkofse urityasahierar hy. Atthebase,youhavephysi alse urity.

OntopofthatisOSse urity,andontopofthatisappli ationse urity,andon

topofthat, network se urity. The widthof ea h layerofthehierar hy anbe

thoughtofasthelevelofse urityassuran e,sothat itformsapyramid.

Youmayhaveanunbeatablerewall,butifyourOSdoesn'trequireapassword

andyouradversaryhasphysi ala esstothesystem,youlose. Soea hlayerof

thepyramid annotbemorese ure(inanabsolutesense)asthelayerbelowit.

Ideally,ea hlayershould beavailabletofeweradversariesthanthelayerabove

it,sothat onehasasortofbalan eorriskequivalen y.

1. networkse urity

2. appli ation/databasese urity

3. OSse urity

4. hardwarese urity

5. physi alse urity

(20)

dividual omputers), and donotdistinguish betweenusersof ea h system. In

somesense,weareassigningrightsto omputersandnotpeople. Weareden-

ing whi h omputersmay talk to whi h other omputers, orperhaps even to

whi h appli ations. This is oftenjustied sin eit is usuallyeasier to leverage

oneuser'sa ess togainanother'swithin thesamesystemthantogaina ess

toanothersystem(butthis isnotatruism).

Inappli ation or database se urity, we are on erned abouthow software ap-

pli ationshandle se urity. Forexample,mostdatabaseshavenotionsofusers,

andonemayallow ertainuserstoa ess ertaindatabases,tables,orrowsand

notothers. Itis assumedthat theadversaryis oneof theusersofthesystem,

andthedis ussion entersaround whatthat user anor annotdo within the

appli ation,assumingthattheuser annot

Inoperating system se urity, wedistinguish betweenusers of thesystem, and

perhapstheroles theyarefullling, andonly on ernourselveswith a tivities

within that omputer. It is assumed that the adversary hassomea ess, but

lessthanfullprivilegesonthesystem.

Hardwarese urity re eiveslittledis ussionin se urity ir les,butaspro essors

and hipsetsgetmore omplex,therearemorevulnerabilitiesbeingfoundwithin

them. Inhardwarese urity,weassumethattheadversaryhasroot-levela ess

onthesystem,anddis usswhatthat enablestheadversarytodo.

Whenwedis ussphysi alse urity,weassumethattheadversarymayphysi ally

approa hthe ampus,building,room,or omputer. Wetendto reate on en-

tri se urityzones aroundthesystem,and trytokeepadversariesasfaraway

fromitaspossible. Thisisbe auseifanadversarygainsphysi al,unmonitored

a esstothe omputersystem,itisvirtuallyimpossibletomaintainthese urity

ofthesystem. Thiskindofdis ussionisparti ularlyinterestingtodesignersof

tamper-resistantsystems,su hasdigitalsatelliteTVre eivers.

4.3 Privilege Levels

Here'sataxonomyofsome ommonly-usefulprivilegelevels.

1. Anonymous,remotesystems

2. Authenti atedremotesystems

3. Lo alunprivileged user(UID>0)

4. Administrator(UID0)

5. Kernel(privileged mode,ring0)

6. Hardware(TPM, ring-1,hypervisors,trojanedhardware)

(21)

the higher the privilege level you get, the harder you an be to dete t. The

gatewaysbetweenthelevelsarea ess ontroldevi es,analogouswithrewalls.

4.4 What is a Vulnerability?

Now that you know what a se urity property is, what onstitutes (or should

onstitute)avulnerability? On thearguableend of the s alewehavelossof

availability,orsus eptibilitytodenialofservi e(DoS).Ontheinarguableend

ofthe s ale, wehavelossof ontrol,whi h usually arbitrary odeexe ution,

whi hoftenmeansthattheadversary andowhateverhewantswiththesystem,

andtherefore anviolateanyotherse urityproperty.

Inanidealworld,everypie eofsoftwarewouldstateitsassumptionsaboutits

environment, and then state these urity properties it attempts to guarantee;

thiswouldbease uritypoli y. Anyviolationoftheseexpli itly-statedse urity

propertieswouldthenbeavulnerability,andanyotherse uritypropertieswould

simply be outside the design goals. However, I only know of one pie e of

ommonly-available software whi h does this, and that's OpenSSL (http://

oss-institute.org/FIPS_733/Se urityPoli y-1.1.1_733.pdf).

Avulnerabilityisaholeoraweaknessintheappli ation,whi h an

beadesignaworanimplementation bug,that allowsanatta ker

to ause harm to thestakeholders of anappli ation. Stakeholders

in lude theappli ation owner,appli ation users, andother entities

that relyontheappli ation. Thetermvulnerability isoftenused

veryloosely. However,hereweneedtodistinguishthreats,atta ks,

and ountermeasures.

OWASPVulnerabilitiesCategory(http://www.owasp.org/index.

php/Category:Vulnerability)

Vulnerabilities anbedividedroughlyintotwo ategories,implementationbugs

anddesignaws. GaryM Graw(http://www. igital. om/~gem/),thehostof

theSilverBulletSe urityPod ast(http://www. igital. om/silverbullet/),

reportsthatthevulnerabilitieshendsaresplitintothesetwo ategoriesroughly

evenly.

4.5 Vulnerability Databases

4.5.1 NationalVulnerability Database

NVDistheU.S.governmentrepositoryofstandardsbasedvulnera-

bilitymanagementdatarepresentedusingtheSe urityContentAu-

tomationProto ol(SCAP).Thisdataenablesautomationofvulner-

abilitymanagement, se uritymeasurement,and omplian e. NVD

(22)

aws,mis ongurations,produ tnames,andimpa tmetri s.

NVDHomePage

ˆ NationalVulnerability Database (http://nvd.nist.gov/)

4.5.2 Common Vulnerabilitiesand Exposures

Internationalins opeandfreeforpubli use,CVEisadi tionaryof

publi lyknowninformationse urityvulnerabilitiesandexposures.

CVE's ommon identiers enable data ex hange between se urity

produ tsandprovideabaselineindex pointforevaluating overage

oftoolsandservi es.

CVE HomePage

ˆ CommonVulnerabilitiesandExposures (http:// ve.mitre.org/)

4.5.3 Common Weakness Enumeration

TheCommonWeaknessEnumerationSpe i ation(CWE)provides

a ommonlanguageofdis oursefordis ussing, ndinganddealing

withthe ausesofsoftwarese urityvulnerabilitiesastheyarefound

in ode, design,orsystemar hite ture. Ea h individualCWE rep-

resentsasinglevulnerabilitytype. CWEis urrentlymaintainedby

theMITRECorporationwithsupportfromtheNationalCyberSe-

urityDivision(DHS).AdetailedCWElistis urrentlyavailableat

theMITREwebsite;this listprovidesadetailed denitionforea h

individualCWE.

CWE HomePage

ˆ CommonWeaknessEnumeration (http:// we.mitre.org/)

4.5.4 Open Sour e Vulnerability Database

OSVDB is an independent and open sour e database reated by

and for the ommunity. Our goalis to provide a urate, detailed,

urrent,andunbiasedte hni alinformation.

OSVDB HomePage

ˆ The OpenSour e Vulnerability Database(http://osvdb.org/)

(23)

pa t Se urity

Ontwoo asionsIhavebeenasked,Pray,Mr. Babbage,ifyouput

intothema hinewronggures,willtherightanswers omeout? In

one aseamemberoftheUpper,andintheotheramemberofthe

Lower,Houseputthisquestion. Iamnotablerightlytoapprehend

thekindof onfusion ofideasthat ouldprovokesu haquestion.

Charles Babbage

This is sometimes alled the GIGO rule (Garbage In, Garbage Out). Stated

thisway, thisseemsself-evident. However,youshouldrealizethat thisapplies

tosystemsaswellasprograms. Forexample,ifyoursystemdependsonDNSto

lo ateahost,thenthe orre tnessofyoursystem'soperationdependsonDNS.

Whetherornotthis isexploitable(beyondasimpledenialof servi e)depends

agreat dealonthedetails ofthepro edures. Thisis aparallel tothequestion

ofwhetheritispossibletoexploit aprogramviaanunsanitizedinput.

You anneverbemorea uratethanthedatayouusedforyourinput. Trytobe

neitherpre iselyina urate,norimpre iselya urate. Learnto usefootnotes.

4.7 Ri e's Theorem

Thisappearsto relate to theunde idability of ertain problems relatedto ar-

bitraryprograms,of ertainissuesrelatedtoprogram orre tness,andhasim-

portant onsequen eslikenomodern general-purpose omputer ansolve the

generalproblemofdeterminingwhetherornotaprogramisvirusfree. Afriend

pointedouttomethattheentireanti-virusindustrydependsonthepubli not

realizingthat thisis provento beanunsolvable (not just adi ult) problem.

Theanti-virusindustry,whenitattemptstogeneratesignaturesorenumerate

badness (see34.1), is playinga onstant game of at h-up, usually astep or

twobehindtheiradversaries.

Unfortunately, really understandingand (evenmoreso)explaining de idability

problems requires a lot of thinking, and I'm not quite up to the task at the

moment,soI'llpunt.

ˆ Wikipediaarti le onRi e's Theorem (http://en.wikipedia.org/wiki/

Ri e%27s_theorem)

5 E onomi s of Se urity

5.1 How Expensive are Se urity Failures?

HerearesomeoftheexamplesI oulddigup.

(24)

TJMaxxwasusingWEP attheirstoresandsuered amajorlossofdata,and

largenes:

ˆ WEP Se urity+Pringles-Can =$1B TJXLoss?

ˆ TJX's failuretose ureWi-Fi ould ost$1B

ˆ Reportof anInvestigationintothe Se urity, Colle tion andRetentionof PersonalInformation

5.1.2 Greek Cell Tapping In ident

TheGreektelephonetapping aseof2004-2005,also referredto asGreekWa-

tergate, involved the illegal tapping of more than 100 mobile phones on the

VodafoneGree e network belonging mostlyto membersof the Greek govern-

mentandtop-ranking ivilservants.

OnO tober19, 2007,VodafoneGree ewasagainned ¿19millionbyEETT,

thenationaltele ommuni ationsregulator,forallegedbrea hofpriva yrules.

ˆ Wikipediaarti le

ˆ GreekWatergate s andalsends politi al sho kwaves

ˆ The Athens Aair

5.1.3 VAServ/LxLabs

Thedis overyof24se urityvulnerabilitiesmayhave ontributedto thedeath

of the hief of LxLabs. A aw in the ompany's HyperVM software allowed

data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM

solutionispopularwith heapwebhostingservi esandtheatta ksareeasyto

reprodu e,whi h ouldleadto furtherin idents.

ˆ Slashdot arti le (http://it.slashdot.org/story/09/06/09/1422200/

Se urity-Flaw-Hits-VAserv-Head-of-LxLabs-Found-Hanged)

ˆ LxLabsbossfoundhangedaftervulnwipeswebsites(http://www.theregister.

o.uk/2009/06/09/lxlabs_funder_death/)

ˆ Webhostha kwipesoutdatafor100,000sites(http://www.theregister.

o.uk/2009/06/08/webhost_atta k/)

5.1.4 CardSystems

ˆ CardSystemsSolutionsSettlesFTCCharges (http://www.ft .gov/opa/

2006/02/ ardsystems_r.shtm)

(25)

EggheadwashurtbyaDe ember2000revelationthat ha kershad

a essed its systemsand potentially ompromised ustomer redit

arddata. The ompanyledforbankrupt yinAugust2001. After

adeal to sell the ompany to Fry's Ele troni sfor $10 millionfell

through,itsassetswere a quiredbyAmazon. omfor$6.1million.

...

In De ember 2000, the ompany's IIS-based servers were ompro-

mised,potentiallyreleasing redit arddataofover3.6millionpeo-

ple. InadditiontopoortimingneartheChristmasseason,thehan-

dling of the brea h bypubli ly denying that there wasa problem,

then notifying Visa, whoin turn notied banks, who notied on-

sumers, ausedthebrea htoes alateintoafullblowns andal.

Wikipedia

ˆ Wikipediaarti leonEggheadSoftware(http://en.wikipedia.org/wiki/

Egghead_Software)

5.1.6 HeartlandPaymentSystems

ˆ Heartland sued over data brea h (http://news. net. om/8301-1009_

3-10151961-83.html)

5.1.7 VerizonData Brea hStudy

NotethatVerizon ondu tedthestudy,andoneshouldnot onstruethisse tion

tomeanthattheyhadanydatabrea hesthemselves.

ˆ VerizonBusiness2009 DataBrea hStudy Finds Signi antRise inTar-

getedAtta ks,OrganizedCrimeInvolvement(http://news enter.verizon.

om/press-releases/verizon/2009/verizon-business-2009-data.html)

5.1.8 Web Ha king In idents Database

ˆ OldSite(http://www.webappse .org/proje ts/whid/)

ˆ NewSite(http://www.xiom. om/whidf)

5.1.9 DATALOSSdb

ˆ WebSite(http://datalossdb.org/)

(26)

ˆ http://se urityblog.verizonbusiness. om/2009/04/15/2009-dbir/

5.2 Abuse Dete tion and Response: A Cost-Benet Per-

spe tive

AsI mentionedearlier, abusedete tionisakindof lassi ationproblem(see

4.1),whi hwill foreverbeanimpre ises ien e.

Ingeneral,youwanttobalan ethe ostsof falsepositivesandfalsenegatives.

If weassume rate means per unit of time, or per number of intera tions

withtheoutsideworld,thentheequationwould be:

f prate ∗ f pcost = f nrate ∗ f ncost

Notethatthedenitionsareveryimportanttotheequation! Theratioofabuse

orintrusionattempts to legitimatetra is usuallyratherlow,andso naively

substituting the han e of failing to re ognize a valid abuse attempt as the

fprateabovewillgiveanin orre tresult. Thisisrelatedtothebase-ratefalla y

des ribedabove(see4.1.2). Whatyouprobablywantthenistodenetheabuse

ratio(abrat)asthenumberofabuseattemptsperin omingrequests, andyou

get:

f prate = abrat ∗ f pchance

f nrate = (1 − abrat) ∗ f nchance

Thus,ifwewishtoavoidthetermrateasbeingmisleading,thentheequation

shouldreallybe:

abrat ∗ f pchance ∗ f pcost = (1 − abrat) ∗ f nchance ∗ f ncost

Abusedete tion(see16)isallaboutthefailure han es(andthus, ratesasde-

nedabove). Abuseresponse hoi es(see17)determinethe ost. Forexample,

anomalydete tionwillgiveahigherfalsepositiverate(andlowerfalsenegative

rate)thanmisusedete tion(see16.2).

Ifyourresponsetoabuse ausesanalert(see17.1)tobegenerated,andahuman

mustinvestigateit,thenthefalsepositive ostwillbehigh, soyoumightwant

to(forexample)dosomefurthervalidationof thedete tioneventtolowerthe

falsepositiverate. Forexample,ifyourIDSdete tedaWin32atta kagainsta

Linuxsystem,youmightwantto avoidgeneratinganalert.

(27)

fromdoingsoevenifitwasafalsepositive,thenyou antakealiberaldenition

ofwhatyou onsiderabusive. Tousetheaboveexample,onemightwishtotaint

thesour e(see17.2.2)andshunhim,eveniftheWin32atta khelaun hed ould

nothaveworkedagainsttheLinux box.

Intrusiondete tion ismerelyasubset ofabuse dete tion,sin e anintrusionis

onlyonekindofabuseofasystem.

Seealso35.7,35.8.

6 Adversary Modeling

If you know the enemy and know yourself, you need not fear the

resultofahundredbattles.

Ifyouknowyourselfbutnottheenemy,foreveryvi torygainedyou

willalsosuer adefeat.

If you know neither the enemy nor yourself, you will su umb in

everybattle.

SunTzu,TheArtofWar(http://en.wikipedia.org/wiki/The_

Art_of_War)

Afterde idingwhatyouneedtoprote t(yourassets),youneedtoknowabout

thethreatsyouwishtoprote titagainst,ortheadversaries (sometimes alled

threat agents)whi h maythreaten it. Generally intelligen e units havethreat

shops,wheretheymonitorandkeeptra kofthepeoplewhomaythreatentheir

operations. Thisisnatural,sin eitis easierto getanideaofwhowilltryand

dosomethingthanhowsomeunspe iedpersonmaytrytodoit,and anhelp

byhardeningsystemsinenemyterritorymorethanthoseinsaferareas,leading

tomoree ientuseofresour es. I shall allthisadversary modeling.

In adversary modeling, the impli it assumptions are that you have alimited

budgetandthenumberofthreatsissolargethatyou annotdefendagainstall

ofthem. Soyounowneedtode idewheretoallo ateyourresour es.Partofthis

involvestryingtogureoutwhoyouradversariesareandwhattheir apabilities

and intentions are, and thus how mu h to worryaboutparti ular domains of

knowledge or te hnology. You don't have to know their name, lo ation and

so ialse uritynumber;it anbeassimpleassomehigh s hoolstudentonthe

Internetsomewherewhodoesn'tlikeus,adisgruntledemployee (asopposed

toagruntledemployee),orsomesexuallyfrustrateds ript-kiddieonIRCwho

doesn'tlikethefa t that heis ajerk whoenjoysabusing people andtherefore

his only friends are other dysfun tional jerks like him. People in harge of

doingatta ker- entri threat modeling must understand their adversariesand

be willing to take han es by allo atingresour esagainst an adversarywhi h

hasn'ta tuallyatta kedthemyet,orelsetheywillalwaysbedefendingagainst

yesterday'sadversary,andget aughtat-footed byanewone.

(28)

Theex ellentbut poorlytitled 1

book Stumblingon Happiness tellsus thatwe

maketwo ommonkindsoferrorswhenreasoningaboutotherhumans:

1. Overlydierent;ifyoulookedatgrapesallday,you'dknowahundreddif-

ferentkinds,andnaturallythinkthemverydierent. Buttheyallsquish

whenyousteponthem,theyareallfruitsandfrankly,notterriblydier-

entatall. Sotooweare onditionedtoseepeopleasdierentbe ausethe

thingsthatmattermosttous,likendinganappropriatemateortrusting

people, annotbedis ernedwith questions likedoyoulikebreathing?.

An interestingexperimentshowedthat ades riptionof how theyfeltby

people who had gone through a pro ess is more a urate in predi ting

howapersonwill feelafter thepro ess thanades riptionofthepro ess

itself. Put another way, people assume that the experien e of others is

toodependentontheminordieren esbetweenhumansthatwementally

exaggerate.

2. Overly similar; people assume that others are motivated by the same

things they are motivated by; we proje t onto them a ree tion of our

self. If a nan ieror a ountanthas ever limbed mount Everest, I am

notawareofit. Surelyitisa ost enter, yes?

6.2 Cost-Benet

Often,thelowerlayersofthese urityhierar hy ostmoretobuildoutthanthe

higherlevels. Physi al se urity requires guards,lo ks, iron bars,shatterproof

windows, shielding, and various other things whi h, being physi al, ost real

money. On the other hand, network se urity may only need a free software

rewall. However,what an adversary ould ost you during aphysi al atta k

(e.g. aburglarlootingyourhome)maybegreaterthananadversary ould ost

youbydefa ingyourwebsite.

6.3 Risk Toleran e

We may assume that the distribution of risk toleran e among adversaries is

monotoni allyde reasing;thatis,thenumberofadversarieswhoarewillingto

tryalow-riskatta kisgreaterthanthenumberofadversarieswhoarewilling

toattemptahigh-riskatta ktogetthesameresult. Bewareofriskevaluation

though;whileaha kermaybetakingagreatrisktogaina esstoyourhome,

lo allawenfor ementwithavalidwarrantisnotgoingto beriskingasmu h.

1

StumblingonHappinessisa tuallyabookofpsy hologi alillusions,waysthatourmind

tendstotri kus,andnotaself-helpbook.

(29)

unknown,youmaywishtohavegreaternetworkse uritythanphysi alse urity,

simplybe ausetherearegoingtobemoreremoteatta ks.

6.4 Capabilities

You only have to worry about things to the extent they may lie within the

apabilitiesofyouradversaries. Itisrarethatadversariesuseoutsidehelpwhen

it omes to riti alintelligen e;it ould, forallthey know, be disinformation,

ortheoutsider ouldbeanagent-provo ateur.

6.5 Sophisti ationDistribution

Iftheywere apable,honest,andhard-working,theywouldn'tneed

tosteal.

Alongsimilarlines, one anassumeamonotoni allyde reasingnumberof ad-

versarieswitha ertainlevelofsophisti ation. Myruleofthumbisthatforevery

person who knows how to performa te hnique,there are x people whoknow

about it,where x isasmallnumber,perhaps3to10. Thesameruleappliesto

people with the ability to write an exploit versusthose ableto downloadand

useit(the so- alleds ript kiddies). On e anexploitis oded intoaworm, the

han eofa ompromisedhosthavingbeen ompromisedbytheworm(instead

ofahumanwhotargetsitspe i ally)approa hes100%.

6.6 Goals

We'veallmetorknowaboutpeoplewhowouldlikenothingmorethantobreak

things,just forthehe kofit;s hoolyardbullieswhofeelhurtandwanttohurt

others,or theirovergrownsadistkin. Vandalswhomerelywantto writetheir

nameonyourstorefront. Astreetthugwhowillsteala ellphonejusttothrow

it througha window. I'm sure the sort of person reading this isn't like that,

but unfortunatelysome people are. What exa tlyare youradversary'sgoals?

AretheytomaximizeROI(ReturnOnInvestment)forthemselves,orarethey

out to maximize pain (tax your resour es) for you? Are they monetarily or

ideologi ally motivated? What do they onsider investment? What do they

onsider a reward? Put another way, you an't just assign a dollarvalue on

assets,youmust onsidertheirvaluetotheadversary.

7 Threat Modeling

Men of sense oftenlearn from their enemies. It is from their foes,

nottheir friends,that ities learnthelessonof building high walls

(30)

Aristophanes

In te hnology, people tend to fo us on how rather than who, whi h seems to

workbetterwhenanyone anpotentiallyatta kanysystem(likewithpubli ly-

fa ingsystemsontheInternet)andwhenprote tionme hanismshaveloworno

in remental ost(likewithfreeandopen-sour esoftware). Ishall allmodeling

thesethreatmodeling (http://en.wikipedia.org/wiki/Threat_model).

7.1 Common Platform Enumeration

CPEisastru turednamings hemeforinformationte hnologysys-

tems, software, and pa kages. Based upon the generi syntax for

Uniform Resour e Identiers (URI), CPE in ludes a formal name

format, a method for he king names againsta system, and a de-

s riptionformatforbindingtextandteststoaname.

CPE HomePage

Therstpartofthreatmodellingshould be,what isitI wanttoprote t? And

on eyoustartto ompilealistofthings youwish to prote t,you mightwant

a onsistentnaming systemfor your omputerassets. TheCPE mayhelp you

here.

ˆ CommonPlatform Enumeration (http:// pe.mitre.org/)

7.2 A Taxonomy of Priva y Brea hes

ˆ ATaxonomyofPriva y (http://www. on urringopinions. om/ar hives/

2006/03/a_taxonomy_of_p.html)

Intheabovearti le,DanielSolovesuggeststhatbrea hesofpriva yare notof

asingletype,but anmeanavarietyofthings:

ˆ surveillan e

ˆ interrogation

ˆ aggregation

ˆ identi ation

ˆ inse urity

ˆ se ondaryuse

(31)

ˆ brea hof ondentiality

ˆ dis losure

ˆ exposure

ˆ in reaseda essibility

ˆ bla kmail

ˆ appropriation

ˆ distortion

ˆ intrusion

ˆ de isionalinterferen e

7.3 Threats to Se urity Properties

An important mnemoni for remembering the threats to se urity properties,

originallyintrodu edwhen threatmodeling,isSTRIDE:

ˆ Spoong

ˆ Tampering

ˆ Repudiation

ˆ Informationdis losure

ˆ Denialofservi e

ˆ Elevationofprivilege

Relatedlinks:

ˆ WikipediaonSTRIDE (http://en.wikipedia.org/wiki/STRIDE_(se urity))

ˆ Un overSe urity Design Flaws Using The STRIDE Approa h (http://

msdn.mi rosoft. om/en-us/magazine/ 163519.aspx)

(32)

Mi rosofthasarating systemfor al ulating risks(http://msdn.mi rosoft.

om/en-us/library/ff648644.aspx). Itsmnemoni isDREAD:

ˆ Damagepotential

ˆ Reprodu ibility

ˆ Exploitability

ˆ Ae tedusers

ˆ Dis overability

7.5 Atta k Surfa e

GnothiSeauton(KnowThyself)

an ientGreekaphorism(http://en.wikipedia.org/wiki/Know_

thyself)

Whendis ussingse urity,it'softenusefultoanalyzethepartwhi hmayintera t

with aparti ular adversary (or set of adversaries). Forexample, let's assume

you are only worriedabout remote adversaries. If your system ornetwork is

only onne tedtooutsideworldviatheInternet,thentheatta ksurfa eisthe

parts ofyoursystemthat intera t withthingson theInternet, ortheparts of

yoursystemwhi ha eptinputfrom theInternet. Arewall,then,limits the

atta k surfa eto a smaller portion of your systems by ltering some of your

network tra . Often,therewallblo ksallin oming onne tions.

Sometimestheatta ksurfa eispervasive. Forexample,ifyouhaveanetwork-

enabledembedded devi e likeaweb amon yournetwork that hasavulnera-

bilityin itsnetworking sta k,then anythingwhi h ansenditpa ketsmaybe

abletoexploitit. Sin eyouprobably an'txthesoftwareinit,youmustthen

usearewalltoattempttolimitwhat antriggerthebug. Similarly,therewas

abugin Sendmailthat ould beexploited bysending a arefully- raftedemail

throughavulnerableserver. Theinterestingbit hereisthat itmightbeanin-

ternalserverthatwasn'texposedtotheInternet;theexploitwasdata-dire ted

andso ouldbepassedthroughyourinfrastru tureuntilithitavulnerableim-

plementation. That'swhyI onsistentlyuseoneimplementation(notSendmail)

throughoutmynetwork now.

IfpluggingaUSBdriveinto yoursystem ausesitto automati allyrunthings

likeastandardMi rosoftWindowsXPinstallation,thenanyplugged-indevi e

ispartof theatta ksurfa e. Butevenifit doesnot,then bypluggingaUSB

devi einyou ouldpotentiallyoverowthe odewhi hhandlestheUSBorthe

driverfortheparti ulardevi ewhi hisloaded;thus,theUSBnetworking ode

(33)

intothesystem.

ˆ MalwareDistributionthroughPhysi alMediaaGrowingCon ern(http://

it.slashdot.org/arti le.pl?sid=08/01/13/1533243)

ˆ usbroken,aUSBfuzzerbasedonArduino(http:// ode.google. om/p/

usbroken/)

ˆ S hneierHa kingComputersoverUSB(http://www.s hneier. om/blog/

ar hives/2006/06/ha king_ ompute.html)

ˆ USBDevi es anCra kWindows(http://www.eweek. om/ /a/Se urity/

USB-Devi es-Can-Cra k-Windows/)

ˆ psgroove, a jailbreak exploit for PS3 (http://github. om/psgroove/

psgroove)

Moreover,are entvulnerability(http://it.slashdot.org/it/08/01/14/1319256.

shtml)illustratesthatwhenyouhavesomethingwhi hinspe tsnetworktra ,

su hasuPNPdevi esorportkno kingdaemons,thentheir odeformspartof

theatta ksurfa e.

Sometimesyouwillhearpeopletalkabouttheanonymousatta ksurfa e;thisis

theatta ksurfa eavailabletoeveryone(ontheInternet). Sin ethisnumberof

peopleissolarge,andyouusually an'tidentifythemorpunishthem,youwant

tobereallysurethattheanonymousatta ksurfa eislimitedanddoesn'thave

anyso- alledpre-auth vulnerabilities,be ausethose anbeexploited priorto

identi ationandauthenti ation.

7.6 Atta k Trees

Thenext logi alstepis to movefrom dening theatta k surfa eto modeling

atta ksandquantifyrisklevels.

ˆ WikipediaonAtta kTree(http://en.wikipedia.org/wiki/Atta k_tree)

ˆ S hneieronAtta kTrees(http://www.s hneier. om/paper-atta ktrees-ddj-ft.

html)

ˆ https://buildse urityin.us- ert.gov/daisy/bsi/arti les/best-pra ti es/

requirements/236.html

ˆ Mi rosoftonAtta kTrees(http://msdn.mi rosoft. om/en-us/library/

ff648644.aspx)

(34)

Amdahl's law, also known as Amdahl's argument, is named after

omputerar hite tGeneAmdahl,andisusedtondthemaximum

expe ted improvementto an overall system when only partof the

systemisimproved.

Wikipedia(http://en.wikipedia.org/wiki/Amdahl%27s_law)

Youaretheweakestlink,goodbye!

The Weakest Link (TVseries)

Let us think of our se urity posture for whatever we're prote ting as being

omposedofanumberofsystems(orgroupsofsystemspossiblyoeringdefense-

in-depth). Thestrengthofthesesystemstoatta kmayvary. Youmaywishto

pour all your resour esinto one, but these urity will likely be brokenat the

weakestpoint,eitherby han e orbyanintelligentadversary.

Thisisananalogyto Amdahl'slaw,statedabove,inthat we anonlyin rease

ouroverallse urityposturebymaintainingadeli atebalan ebetweenthedif-

ferentdefensestoatta kve tors.Mostofthetime,yourresour esarebestspent

ontheweakestarea,whi hforsomeinstitutions(nan ial,military)isusually

personnel.

Thereasonsyoumightnotbalan eallse uritysystemsmayin lude:

E onomi s matter here; it may be mu h heaperand reliable to buy are-

wallthanputyouremployeesthroughse uritytraining. Softwarese urity

measuressometimeshavezeromarginal ost,buthardwarealmostalways

hasamarginal ost.

Exposure ae tsyourrisk al ulations;anInternetatta kismu hmorelikely

thanaphysi alatta k, soyoumayput moreeortintoInternetdefense

thanphysi aldefense.

Capability impliesin that organizationshavevaryingabilities. Forexample,

the military may simply make arrying a thumb drive into the fa ility

a punishable oense, but a ommer ial organization may nd that too

di ultorunpopulartoenfor e. An Internet ompany,by ontrast,may

haveastrong te hni al apability, andso might hoose towrite software

topreventtheuseofthumb drives.

8 Physi al Se urity

Whenpeoplethinkofphysi alse urity,theseoftenarethelimitonthestrength

ofa ess ontroldevi es; I re allastoryofa atburglarwhouseda hainsaw

to utthroughvi tim'swalls,bypassinganya ess ontroldevi es. Iremember

(35)

se urity.

ˆ Wikipediaarti leonPhysi alSe urity(http://en.wikipedia.org/wiki/

Physi al_se urity)

8.1 No Physi al Se urity Means No Se urity

Whilethelo ksaregettingtougher,thedoorandframearegetting

weaker. Awell-pla edki kusually doesthetri k.

aburglar

A ouple of limitations ome up without physi al se urity for a system. For

ondentiality,allofthesensitivedata needstobeen rypted. Butevenifyou

en ryptthe data, anadversarywith physi al a ess ould trojan the OS and

apturethedata(thisisa ontrolatta know,notjust ondentialitybrea h;go

thisfarandyou'veprote tedagainstovertseizure,theft,improperdisposaland

su h). Soyou'llneedtoyouprote tthe ondentialityandintegrityoftheOS,

hetrojans thekernel. Ifyouprote tthekernel,hetrojans thebootloader. If

youprote tthebootloader(saybyputtingonaremovablemedium),hetrojans

theBIOS.Ifyouprote ttheBIOS,hetrojanstheCPU.Soyouput atamper-

evidentlabelonit,with yoursignature onit,and he kiteverytime. Buthe

aninstallakeyboardlogger. Sosupposeyoumakeasealedboxwitheverything

in it, and onne tors onthe front. Now he gets measurements and photos of

your ma hine, spends a fortune repli ating it, repla es your system with an

outwardly identi al one of his design (the trojan box), whi h ommuni ates

(say, viaen rypted spread-spe trumradio) to your real box. Whenyou type

plaintext, itgoesthroughhis system, getslogged, andrelayedto your system

askeystrokes. Sin eyoutalkplaintext, neitherofyouarethewiser.

The physi al layer is a ommon pla e to fa ilitate a side- hannel atta k (see

31.2).

8.2 Data Remanen e

Iknowwhat your omputerdidlastsummer.

Data remanen e is the the residual physi al representation of your informa-

tiononmediaafter youbelievethatyouhaveremovedit (denitionthanksto

Wikipedia,http://en.wikipedia.org/wiki/Data_remanen e). Thisisadis-

putedregionofte hnology,withagreatdealofspe ulation,self-styledexperts,

butverylittlehards ien e.

(36)

Systems(Ver.209/91)(http://www.fas.org/irp/nsa/rainbow/tg025-2.

htm)

ˆ NationalSe urityAgen y/CSSDegausserProdu tsList25Sep2001 (http://

www.fas.org/irp/nsa/degausse.pdf)

LasttimeIlookedmostofthedegaussersrequire220Vpowerandmaynotwork

onharddrives,duetotheirhigh oer ivity.

As of 2006, the most denitivestudy seems to be the NISTComputer Se u-

rityDivisionpaperGuidelinesforMediaSanitization(http:// sr .nist.gov/

publi ations/nistpubs/800-88/NISTSP800-88_rev1.pdf). NIST is known

toworkwith theNSAonsometopi s, and thismaybeoneofthem. It intro-

du essomeusefulterminology:

disposing isthea tofdis ardingmediawithnoother onsiderations

learing isalevelof mediasanitizationthat resistsanythingyou oulddoat

the keyboard or remotely, and usually involves overwriting the data at

leaston e

purging isapro essthatprote tsagainstalaboratoryatta k(signalpro ess-

ingequipmentandspe iallytrainedpersonnel)

destroying is theultimate form of sanitization,and meansthat themedium

annolongerbeusedasoriginallyintended

8.2.1 Magneti StorageMedia (Disks)

The seminal paper on this is Peter Gutmann's Se ure Deletion of Data from

Magneti andSolid-StateMemory(http://www. s.au kland.a .nz/~pgut001/

pubs/se ure_del.html). Inearlyversionsofhispaper,hespe ulatedthatone

ould extra t data due to hysteresisee ts even after a single overwrite, but

onsubsequentrevisionshestatedthattherewasnoeviden easingleoverwrite

wasinsu ient. SimsonGarnkelwroteaboutitre entlyinhisblog(https://

www.te hreview. om/blog/garfinkel/17567/).

The NIST paper has some interesting tidbits in it. Obviously, disposal an-

not prote t ondentiality of unen rypted media. Clearing is probably su-

ientse urityfor 99%ofalldata; I highlyre ommend Darik'sBoot and Nuke

(http://dban.sour eforge.net/), whi h is a bootable oppy or CD based

onLinux. However, it annot work ifthe storage devi e stops working prop-

erly,and itdoesnotoverwritese tors ortra ksmarkedbad andtransparently

relo ated by the drive rmware. With all ATA drives over 15GB, there is

a se ure delete ATA ommand whi h an be a essed from hdparm within

Linux, and Gordon Hughes has some interesting do uments and a Mi rosoft-

based utility (http:// mrr.u sd.edu/people/Hughes/Se ureErase.shtml).

(37)

se ure-erase-data-se urity-you-already-own/). Inthe aseofverydam-

ageddisks, youmayhavetoresorttophysi aldestru tion. However,withdisk

densities being what they are, even 1/125 of a disk platter may hold a full

se tor,andsomeonewithabsurdamountsofmoney ouldtheoreti allyextra t

smallquantitiesofdata. Fortunately,nobody aresthismu haboutyourdata.

Now,youmaywonderwhatyou andoaboutverydamageddisks,orwhattodo

ifthemediaisn'tonline(forexample,youburieditinanundergroundbunker),

orifyouhavetogetridofthedatafast. Iwouldsuggestthaten ryptedstorage

(see28.7)would almost alwaysbeagoodidea. Ifyouuseit, youmerelyhave

to prote t the ondentiality of the key, and if you an properly sanitize the

media,all thebetter. Re ently SimsonGarnkelre-dis overedate hniquefor

gettingthedataobrokendrives;freezingthem. Anotherte hniquethatIhave

usedistorepla ethelogi boardwithonefrom aworkingdrive.

ˆ Hard drive's data survives shuttle explosion (http://blo ksandfiles.

om/arti le/5056)

ˆ GermanrmprobesnalWorldTradeCenterdeals(http://www.prisonplanet.

om/german_firm_probes_final_world_trade_ enter_deals.htm)

ˆ Wikipedia entry on Data Re overy (http://en.wikipedia.org/wiki/

Data_re overy)

ˆ 200waystore overyourdata(http://btjunkie.org/torrent/200-Ways-To-Re over-Revive-Your-Hard-Drive/

4358 d27083f53a0d4d 3a7e 8354d22b61574534 96)

ˆ DataRe overyblog(http://datare overy-hddre overy.blogspot. om/)

8.2.2 Semi ondu torStorage (RAM)

Peter Gutmann's Data Remanen e in Semi ondu tor Devi es (http://www.

ypherpunks.to/~peter/usenix01.pdf) shows that if a parti ular value is

held in RAM for extended periods of time, various pro esses su h asele tro-

migrationmakepermanent hangesto thesemi ondu tor's stru ture. Insome

ases,itispossibleforthevaluetobeburnedin tothe ell,su hthatit annot

holdanothervalue.

Cold Boot Atta k Re ently aPrin eton team (http:// itp.prin eton.

edu/memory/)foundthat thevaluesheld in DRAM de ay inpredi table ways

afterpowerisremoved,su hthatone anmerelyrebootthesystemandre over

keys formost en rypted storage systems(http:// itp.prin eton.edu/pub/

oldboot.pdf). By oolingthe hip rst,this dataremainslonger. This gen-

eratedmu htalkin theindustry. Thispromptedaninterestingoverviewofat-

ta ksagainsten rypted storagesystems(http://www.news. om/8301-13578_

3-9876060-38.html).

(38)

12/bbtv-ha ker-howto- o.html)

Dire tMemoryA ess Itturnsoutthat ertainperipheraldevi es,notably

Firewire,havedire tmemorya ess.

This means that you an plug something into the omputer and read data

dire tlyoutofRAM.

Thatmeansyou anread passwordsdire tlyoutofmemory:

ˆ http://storm.net.nz/proje ts/16

ReadingRAM WithA Laser

ˆ On A New Way to Read Data from Memory (http://www. l. am.a .

uk/~rja14/Papers/SISW02.pdf)

8.3 Smart Card Atta ks

Thisse tiondeservesgreatexpansion.

InsteadI'llpuntandpointyouatthelatestUSENIX onferen eonthis:

ˆ Usenix CARDIS02 (http://www.usenix.org/publi ations/library/

pro eedings/ ardis02/te h.html)

9 Hardware Se urity

9.1 Introdu tion

Hardwarese urityisatermIinventedtodes ribethese uritymodelsprovided

byaCPU(http://en.wikipedia.org/wiki/Central_pro essing_unit),as-

so iated hipset(http://en.wikipedia.org/wiki/Chipset)andperipheralhard-

ware. Theassumptionhereisthattheadversary an reateandexe uteprogram

ode of his own hoosing, possibly as an administrator (root). As omputer

hardwareandrmware(http://en.wikipedia.org/wiki/Firmware)be omes

more omplex, there willbemoreand morevulnerabilitiesfoundin it, so this

se tionislikelytogrowovertime.

Ea h omputer hardware ar hite ture is going to have its own se urity mod-

els, so this dis ussion is going to be spe i to the hardware platform under

onsideration.

(39)

Mostmodern omputersystemshaveat leasttwomodesof operation; normal

operation and privileged mode. The vast majority of software runs in normal

mode, and the operating system, ormorea urately the kernel, runs in priv-

ileged mode. Similarly, most of the fun tionality of the CPU is available in

normalmode, whereas asmall but signi ant portion, su h asthat related to

memorymanagementand ommuni atingwith hardware, is restri tedto that

operatingin privilegedmode.

SomeCPUar hite tures,gofartheranddeneaseriesofhierar hi alprote tion

domains that are often alled prote tion rings (http://en.wikipedia.org/

wiki/Ring_( omputer_se urity)). Thisisasimpleextrapolationofthetwo-

levelnormal/privilegedmodeintomultiplelevels,orrings.

9.3 Operating Modes

TheIntelar hite turesinparti ularhasseveraloperatingmodes. Thesearenot

privilegerings,butratherrepresentthestatethattheCPUisin,whi hae ts

howvariousinstru tionsare interpreted

ˆ Real-addressmode(http://en.wikipedia.org/wiki/Real_mode)

ˆ Prote tedMode(http://en.wikipedia.org/wiki/Prote ted_mode)

ˆ System Management Mode (http://en.wikipedia.org/wiki/System_

Management_Mode)

ˆ Virtual8086Mode(http://en.wikipedia.org/wiki/Virtual_8086_mode)

9.4 NX bit

The NX bit, whi h stands for No eXe ute, is a te hnology used

in CPUs to segregateareas ofmemory foruse byeither storageof

pro essor instru tions (or ode) or for storage of data, a feature

normally onlyfound in Harvard ar hite turepro essors. However,

theNXbitisbeingin reasinglyusedin onventionalvonNeumann

ar hite turepro essors,forse urityreasons.

AnoperatingsystemwithsupportfortheNXbitmaymark ertain

areasofmemoryasnon-exe utable. Thepro essorwillthen refuse

toexe uteany oderesidingin theseareasofmemory. Thegeneral

te hnique,knownasexe utablespa eprote tion,isusedtoprevent

ertain typesof mali ious software from taking over omputersby

inserting their ode into another program's data storage area and

runningtheirown odefrom within thisse tion;thisis knownasa

bueroverowatta k.

(40)

ˆ Wikipediaentryon NXbit (http://en.wikipedia.org/wiki/NX_bit)

9.5 Supervisors and Hypervisors

ˆ SupervisoryProgram(http://en.wikipedia.org/wiki/Supervisory_program)

ˆ Hypervisor (http://en.wikipedia.org/wiki/Hypervisor)

9.6 Trusted Computing

ˆ TrustedPlatformModule(http://en.wikipedia.org/wiki/Trusted_Platform_

Module)

ˆ TrustedComputing: TheMother(board)ofAllBigBrothers (http://www.

ypherpunks.to/TCPA_DEFCON_10.pdf)

ˆ Trusted Computing Group (http://en.wikipedia.org/wiki/Trusted_

Computing_Group)

ˆ IntelTCPAOverview(http://yuan.e om. mu.edu/trust/ d/Presentations/

Intel%20TCPA%20Overview.ppt)

ˆ TrustedComputingGrouphomepage(http://www.trusted omputinggroup.

org/)

ˆ EFF: TrustedComputing: Promise andRisk (http://www.eff.org/wp/

trusted- omputing-promise-and-risk)

ˆ RossAnderson'sTCPAFAQ(http://www. l. am.a .uk/~rja14/t pa-faq.

html)

ˆ FSF:CanYouTrustTrustedComputing(http://www.gnu.org/philosophy/

an-you-trust.html)

ˆ OpenTCproje t (http://www.opent .net/)

ˆ IBMTCPA Group (http://www.resear h.ibm. om/gsal/t pa/)

ˆ InneonTPM hipha ked(http://www.flylogi .net/blog/?tag=infineon)

(41)

Not really aba kdoor, but thewake-on-lanand remotemanagement fa ilities

ouldbeusedbyanatta ker.

ˆ IntelvPro(http://en.wikipedia.org/wiki/Intel_vPro)

ˆ Big Brother Potentially Exists Right Now (http://www.tgdaily. om/

hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-p s- ompliments-of-intels-vpr)

(note: heiswrongaboutwhat ECHELONis)

9.8 Hardware Vulnerabilities and Exploits

ˆ f00f bug (http://en.wikipedia.org/wiki/F00f)

ˆ CyrixComa Bug (http://en.wikipedia.org/wiki/Cyrix_ oma_bug)

ˆ Using CPU System Management Mode to Cir umvent Operating System

Se urityFun tions (http://www.ssi.gouv.fr/fr/s ien es/fi hiers/

lti/ anse west2006-duflot-paper.pdf)

ˆ Atta kingSMMMemoryviaIntelCPUCa hePoisoning(http://theinvisiblethings.

blogspot. om/2009/03/atta king-smm-memory-via-intel- pu.html)

ˆ Atta king IntelTrustedExe utionTe hnology (http://www.bla khat.

om/presentations/bh-d -09/Wojt zuk_Rutkowska/Bla kHat-DC-09-Rutkowska-Atta king-Intel-TXT-slides.

pdf)

ˆ Blue Pill (http://en.wikipedia.org/wiki/Blue_Pill_(malware))

ˆ SMM Rootkits: A NewBreedof OSIndependent Malware (http://www.

ee s.u f.edu/%7E zou/resear h/SMM-Rootkits-Se ure om08.pdf)

ˆ SubvertingtheXenHypervisor(http://invisiblethingslab. om/resour es/

bh08/)

ˆ TPM ResetAtta k (http://www. s.dartmouth.edu/~pkilab/sparks/)

10 Distributed Systems

10.1 Network Se urity Overview

Thethings involvedin network se urityare alled nodes. One antalk about

networks omposedofhumans(so ialnetworks),butthat'snotthekindofnet-

workwe'retalkingabouthere;Ialwaysmeana omputerunlessIsayotherwise.

Often in network se uritythe adversaryis assumed to ontrol the network in

References

Download now ( PDF - 246 Page - 1.83 MB )

Related documents

\ f;,*ot 1b funn,*{"&f'"-*

Radana Hojná, Ph.D.. Otakar Ungerman

Various statistical test of pseudorandom number generator

The outputs of an RNG may be used directly as a random number or may be fed into a pseudorandom number generator (PRNG) and, the pseudorandom number generator creates a sequence

      ABCDBEF  E  ECB   FDF D  A     F EBBCBEFBCB ECFFAB B FFCAAF BE BA   CABCDBEFB   FFF BD  F E E

[r]

F¨ or-f¨ orsta-g˚ angen-f¨ ordelning, binomialf¨ ordelning, hypergeometrisk f¨ ordelning; uppkomsts¨ att

I en produktionsprocess blir enheterna, oberoende av varandra, felak- tiga med sannolikhet 0.01 och 300 enheter tillverkas. I en urna finns vita och

f(x) utläses f av x

SUBSTITUTIONSMETODEN

Vektorfältet ~ F ges av F = ~

Normalytintegralen kan därför räknas ut genom att beräkna vilken rymdvinkel den övre delen av sfären upptar sett från punktkällan.. Genom att rita en figur inser man att en sfär

F Ay F F x  Ay F x x N x F F

[r]

. In the proof, change all occurrences of B before the displayed formula to I . After this formula, F → B should be defined by mapping every generator π i of F to the corresponding generator b i of B.

Begin the proof by noting that it is sufficient to consider finitely generated subalgebras of A, so that one may, without loss of generality, assume that A is generated by