Computing Infrastructure Risk

(1)

Carnegie Mellon

®

Carnegie Mellon

® ®

Computing Infrastructure Risk

Issue, Analysis, and Recommendation

Lynn Robert Carter Lynn Robert Carter

(2)

Agenda



 Computing infrastructure at risk _{Computing infrastructure at risk}



 The root cause _{The root cause}



 Solution elements are known _{Solution elements are known}



 Barriers to implementing the solution_{Barriers to implementing the solution}



(3)

Infrastructure Risk



 Our computing infrastructure is at risk _{Our computing infrastructure is at risk}



 Numerous botnets have compromised millions _{Numerous botnets have compromised millions} of machines around the world

of machines around the world



 _{Denial of service attacks are the very visible}_{Denial of service attacks are the very visible}

tip of the

tip of the ““icebergiceberg” ” of what is possible of what is possible



(4)

Spam load approaching 90%

(5)

Distributed computing threat



 _{The SETI network has borrowed over 3.4}_{The SETI network has borrowed over 3.4} ××₁₀₁₀6 6

years of compute power from its donors years of compute power from its donors



 _{Such compute power can be used to solve any}_{Such compute power can be used to solve any}

number of problems, many to our detriment number of problems, many to our detriment

–

– Denial of service attacks and extortion Denial of service attacks and extortion –

– Discover access methods to secure systems Discover access methods to secure systems –

(6)

le.jh el07/botnet061307.htm /pressr www.fbi.gov/pressrel / / http

The rise of botnets



 Known botnets have compromised many _{Known botnets have compromised many} millions of machines

millions of machines

–

– A Dutch botnet of 1.5 million reported in 2005A Dutch botnet of 1.5 million reported in 2005

http

http::////www.informatwww.informationweek.com/shared/printableArtionweek.com/shared/printableArticicle.jhttmmll?ar?artticicleIleIDD=172303265 =172303265

–

– FBI: a botnet of 1 million US machines in 2007FBI: a botnet of 1 million US machines in 2007

http:://www.fbi.gov/pressrel/pressrel07/botnet061307.htm



 _New_New _“_“_rootkits_rootkits_”_” _{make it harder to tell that a}_{make it harder to tell that a}

machine is compromised or repair the system machine is compromised or repair the system

short of initializing the hard drive short of initializing the hard drive

(7)

New targets of opportunity



 Personal computers are just one target that the _{Personal computers are just one target that the} bad guys can hit

bad guys can hit



 _{Any computing device that can access the}_{Any computing device that can access the}

internet is potentially at risk internet is potentially at risk

–

– Cell phones, PDAs, and media players Cell phones, PDAs, and media players –

– Entertainment systems Entertainment systems –

(8)

Impact analysis

--11



 The banking industry has been hit hard _{The banking industry has been hit hard}



 Identity theft through phishing is just one path_{Identity theft through phishing is just one path}



 Compromised computers can provide a wealth _{Compromised computers can provide a wealth} of valuable information

of valuable information

–

– Anything the user sees or types can be stolen Anything the user sees or types can be stolen –

– Data on the hard drive can be read or altered Data on the hard drive can be read or altered –

– Built in cameras and microphones can be used, Built in cameras and microphones can be used, even when the device appears to be off

(9)

Impact analysis

--22



 Denial of service attacks have caused firms to _{Denial of service attacks have caused firms to} pay to avoid future attacks

pay to avoid future attacks



 _{Most attacks appear to have been for monetary}_{Most attacks appear to have been for monetary}

gain or to prove capabilities, but the attack on gain or to prove capabilities, but the attack on

former Soviet Block Georgia hints at what can former Soviet Block Georgia hints at what can

be done be done



 The full potential of their capabilities is not _{The full potential of their capabilities is not} clear; many options are not easily profitable clear; many options are not easily profitable

(10)

Impact analysis

--33



 Technology exists to falsify anything digital _{Technology exists to falsify anything digital}

–

– The entertainment industry has shown us what is The entertainment industry has shown us what is possible (The Curious Case of Benjamin Button) possible (The Curious Case of Benjamin Button) –

– Morphing still images, voices and videos is known Morphing still images, voices and videos is known technology and can be used to prompt potentially technology and can be used to prompt potentially inappropriate action

inappropriate action



 _{Many systems can be remotely controlled; the}_{Many systems can be remotely controlled; the}

latest

(11)

Impact analysis

--44



 Private networks and custom systems have the _{Private networks and custom systems have the} potential to avoid many of these risks

potential to avoid many of these risks



 _{All it takes to compromise such a solution is to}_{All it takes to compromise such a solution is to}

have one weak link

have one weak link… … humans are notoriously humans are notoriously weak links in any security system

weak links in any security system



 Every aspect of business, government, and part _{Every aspect of business, government, and part} of our military computing infrastructure is at

of our military computing infrastructure is at risk and the exposure is growing

(12)

Agenda



 Computing infrastructure at risk _{Computing infrastructure at risk}



 The root causes _{The root causes}



 Solution elements are known _{Solution elements are known}



(13)

The root causes



 Root cause: security was not a fundamental _{Root cause: security was not a fundamental} design criteria

design criteria



 _{The so called von Neumann architecture can}_{The so called von Neumann architecture can}

be easily misused to change a program so it be easily misused to change a program so it

performs completely unrelated functions performs completely unrelated functions



 The internet was designed to connect trusted _{The internet was designed to connect trusted} researchers with the assumption that if you researchers with the assumption that if you

were on the net, you must be a good guy were on the net, you must be a good guy

(14)

von Neumann architecture



 While not actually von Neumann_{While not actually von Neumann}’’s creation, s creation, his computer architecture paper, where data his computer architecture paper, where data

and code are stored in the same memory, was and code are stored in the same memory, was

the one that became popular the one that became popular



 Programs can alter their own code as easily as _{Programs can alter their own code as easily as} they alter data; some software depends on this they alter data; some software depends on this



 File systems can also be easily compromised _{File systems can also be easily compromised} in much the same way

(15)

Buffer overflow



 Mitre reported that 85% of vulnerabilities in _{Mitre reported that 85% of vulnerabilities in} 2005 were application exploits

2005 were application exploits



 _{Buffer overflow has been a common method}_{Buffer overflow has been a common method}

employed to attack applications along with employed to attack applications along with

“

“design errorsdesign errors” ” and and ““exceptional conditionsexceptional conditions” ”



 Both operating systems and the applications _{Both operating systems and the applications}

provide pathways to compromise systems provide pathways to compromise systems

(16)

Security was not a design goal



 Computers, operating systems, programming _{Computers, operating systems, programming} languages, applications, and many internet

languages, applications, and many internet

protocols and systems were not designed to be protocols and systems were not designed to be

secure secure



 More than 20 years has passed since the first _{More than 20 years has passed since the first} major computer virus and we are still in an major computer virus and we are still in an

escalating game of

escalating game of ““cat and mousecat and mouse” ” or maybe or maybe mor

(17)

Agenda



 The root causes _{The root causes}



 Solution elements are known _{Solution elements are known}



(18)

Other architectures



 The _The ““HarvardHarvard” ” architecture is similar to the architecture is similar to the “

“von Neumannvon Neumann” ” architecture, in that it uses architecture, in that it uses both

both ““stored program and datastored program and data””; but they are ; but they are not stored in the same memory

not stored in the same memory



 Memory management schemes to separate data _{Memory management schemes to separate data} from instructions have existed

from instructions have existed



 Operating systems have existed that separate _{Operating systems have existed that separate}

the operating system from the application the operating system from the application

(19)

An unfortunate failure



 The iAPX 432 was a 1980s era microprocessor _{The iAPX 432 was a 1980s era microprocessor} designed to support object orientation and

designed to support object orientation and segmented memory in hardware

segmented memory in hardware



 Replacing pointers with _{Replacing pointers with} ““protected objectprotected object” ”

references (called capabilities) that can only be references (called capabilities) that can only be

created by privileged instructions is a way to created by privileged instructions is a way to

design security into the hardware design security into the hardware



(20)

Virtualization



 Isolating the application and its environment _{Isolating the application and its environment} from the real operating system and file system from the real operating system and file system

is another known solution is another known solution



 _{Each time an application is launched, create a}_{Each time an application is launched, create a}

virtual machine, operating system instance, virtual machine, operating system instance,

and application instance from a read

and application instance from a read--only file only file system employing independent checksums

system employing independent checksums



 A _A ““securitysecurity” ” processor can host a miniprocessor can host a mini--cloud cloud

of

(21)

Trusted computing



 Security depends upon secure foundations _{Security depends upon secure foundations}



 Processors must be uniquely identified _{Processors must be uniquely identified}



 Authentication of message sender and source _{Authentication of message sender and source} is a crucial element of secure computing

is a crucial element of secure computing



 _{Key elements of security must be implemented}_{Key elements of security must be implemented}

in the hardware so physical security can be in the hardware so physical security can be

used to guarantee cyber security used to guarantee cyber security

(22)

Trusted communication



 Authentication of pushed messages and similar _{Authentication of pushed messages and similar} checking for pulled messages is crucial

checking for pulled messages is crucial



 _{Randomness and multiple}_{Randomness and multiple}_-_-_{independent agents}_{independent agents}

must be at the heart of authentication must be at the heart of authentication

–

– The authentication agents used must be randomThe authentication agents used must be random –

(23)

Computing antibodies



 We must change the way systems are built so _{We must change the way systems are built so} they are aware of attacks and respond to them they are aware of attacks and respond to them

–

– From notifying authorities to locking down certain From notifying authorities to locking down certain key capabilities, a system should not just patiently key capabilities, a system should not just patiently endure an attack until the attacker succeeds

endure an attack until the attacker succeeds –

– The new secure internet protocols must be able to The new secure internet protocols must be able to track attacks back to its source via hardware

track attacks back to its source via hardware



(24)

Agenda



 Solution elements are known _{Solution elements are known}



 Barriers to implementing the solution_{Barriers to implementing the solution}



(25)

Barriers

--11 

 The bad guys will not just sit around idle while _{The bad guys will not just sit around idle while} we implement our solution if they know what we implement our solution if they know what

we propose to do we propose to do



 Many users want anonymity and yet they want _{Many users want anonymity and yet they want} to deal with a trusted

to deal with a trusted--known supplier known supplier



 Current computing/networking marketplace _{Current computing/networking marketplace}

does not have enough true competition for does not have enough true competition for

normal market forces to work effectively normal market forces to work effectively

(26)

Barriers

--22 

 Many governments and corporations are in a _{Many governments and corporations are in a} conflict of interest; many might perceive that conflict of interest; many might perceive that

changing the

changing the status quo status quo could cost them could cost them



 Changing internet equipment and all of the key _{Changing internet equipment and all of the key}

infrastructure computers with be very costly infrastructure computers with be very costly



 A system is only as secure as its weakest link; _{A system is only as secure as its weakest link;} people can still compromise aspects of this

people can still compromise aspects of this solution, even if only temporarily

(27)

Agenda



 Solution elements are known _{Solution elements are known}



 Barriers to implementing the solution_{Barriers to implementing the solution}



(28)

Recommendation

--11



 The cyber equivalent of the Manhattan Project_{The cyber equivalent of the Manhattan Project}



 A black program must be launched to build a _{A black program must be launched to build a} new set of foundational cyber building blocks new set of foundational cyber building blocks

upon which to build a secure infrastructure upon which to build a secure infrastructure



 The solution must allow the current insecure _{The solution must allow the current insecure} implementations to run atop it as legacy until implementations to run atop it as legacy until

market forces and conditions dictate they be market forces and conditions dictate they be

replaced with secure solutions replaced with secure solutions

(29)

Recommendation

--22



 Reuse of current computing assets is key, but it _{Reuse of current computing assets is key, but it} will not take precedence over security

will not take precedence over security



 _{Asymmetric security is key; a trusted agent}_{Asymmetric security is key; a trusted agent}

must be able to provide trusted copies of data must be able to provide trusted copies of data

to insecure users to insecure users



 Parallel operation and proven protection of key _{Parallel operation and proven protection of key} national assets must be ensured before the

national assets must be ensured before the existence of the project is made public

(30)

Recommendation

--3 3



 Programs to quickly and fairly move the _{Programs to quickly and fairly move the}

technology into the market are crucial technology into the market are crucial



 _{Significant effort to prepare for education,}_{Significant effort to prepare for education,}

training, skill, and behavior change programs training, skill, and behavior change programs

must be developed in preparation for the must be developed in preparation for the

program coming out of the black program coming out of the black



 Preparation for political, legal, business and _{Preparation for political, legal, business and} social issues must be a priority

(31)

Closing thoughts



 The cost of recovering from the damage to _{The cost of recovering from the damage to} New Orleans has far exceeded what would New Orleans has far exceeded what would

have been required to protect it from Katrina have been required to protect it from Katrina



 The cost of effective financial oversight would _{The cost of effective financial oversight would} have been several orders of magnitude less

have been several orders of magnitude less than the wealth that has been lost this year than the wealth that has been lost this year



 We cannot continue to play this cyber security _{We cannot continue to play this cyber security} game when so much is at stake

(32)

Carnegie Mellon

®

Carnegie Mellon

® ®

Computing Infrastructure Risk

Issue, Analysis, and Recommendation

Lynn Robert Carter Lynn Robert Carter