Post Job Free
Sign in

Security College

Location:
Ireland
Posted:
January 26, 2013

Contact this candidate

Resume:

Security Boundaries

Stephen Farrell

Department of Computer Science

Trinity College Dublin

*******.*******@**.***.**

Open Group Conference, Budapest

22nd October 2007

These slides: https://down.dsg.cs.tcd.ie/misc/tog.pdf

Trinity College Dublin

1

Synopsis

There are so many different security

boundaries in-play nowadays that new

types of security architecture and

analysis may be needed...

...but we don t have much new so far

Anyway we ll look at some security

boundaries from the metal on up...

...and see what we find

Trinity College Dublin

2

Side Channels

Million message attack on TLS

Naive error handling leaks information

Chosen Ciphertext Attacks Against Protocols

Based on the RSA Encryption Standard PKCS#1,

Bleichenbacher,1998

Multi-core CPUs separate threads

Private key sniffing via cache misses

Cache missing for fun and profit, Percival, 2005

New side-channels continually emerging

USB stick private key power analysis

How not to protect PC's from power analysis,

Oren, Shamir, 2006.

Trinity College Dublin

3

USB Power Analysis

From: http://www3.ietf.org/proceedings/06nov/minutes/saag.txt

Trinity College Dublin

4

Virtualisation

Virtualisation creates some nice new

boundaries

Allows frequent re-imaging

Stateful applications (cookies etc.) problematic

Honeypots/IDS

VMs can help

But...

Guest OS processes can detect host OS via

timing and/or other infidelities

Attacks on Virtual Machine Emulators, Ferrie, 2006

CPUID instruction + cache miss technique

Hiding the boundary here is dubious

Trinity College Dublin

5

Host Security

Secure end systems used to be a common

assumption when attempting to secure a

network

Software Update

What is actually (supposed to be) running on

that box?

Even with excellent controlled s/w update

there are potential side-effects

Skype incident

http://heartbeat.skype.com/2007/08/what_happened_

on_august_16.html

Trinity College Dublin

6

Host Security

Host Mobility

Where s that host been before?

And now where s it gone?

Battle of the forms (e.g. visiting host)

Even the (Guest) OS contains VMs:

JVM (x N), CLR, many scripting engines, J2EE

Many backend connections from application

servers

DB, file system, WS-*, ...

Trinity College Dublin

7

Enterprise Network Boundaries

DMZ concept becoming a bit outmoded

Mobile hosts and wireless LANs

More complex collaborations

De-perimeterisation

Push security mechanism use towards

application servers and clients

Counterargument

There will be more, not fewer, middleboxes

Trinity College Dublin

8

Middleboxes

Firewalls, NATs, SIP-Proxies, CDNs and lots

of other middleboxes won t go away

Some create new boundaries

DSL router/firewall/NAT box

Often firmware never updated

Recent WEP fuss

http://www.ireland.com/newspaper/frontpage/2007/1

002/119**********.html

SIP-Proxy vulnerability

CVE-2005-4466, a buffer overflow

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4466

Trinity College Dublin

9

Protocol Oddities: UDP-Lite

SIP sets up a call, that might use RTP/UDP

for voice data

Reliability requirements for voice differ from

other traffic

Some people believe UDPLite is a reasonable

solution for some such cases

UDPLite payload checksum optional

New boundary partial reliability

Similar work starting on partial cryptographic

integrity & confidentiality

Trinity College Dublin

10

Delay- and Disruption-Tolerant Networking

Delay- and Disruption-Tolerant

Networking (DTN) aims to ensure

that data flows even if there is

never any end-to-end connection

DTN works when TCP breaks!

Original concept related to an

Interplanetary Internet, but has now

morphed to include terrestrial

applications

Sensor nets, networking in

developing regions

http://www.dtrng.org/

Trinity College Dublin

11

Protocol Oddities: DTN Security

Bundle protocol security

Crypto primitives, but no key management

(yet)

Mixtures of fragmentation, opportunistic

routing and security can be difficult

For some challenged nodes, have to apply

crypto inside the network

Like a generalisation of a VPN tunnel

Trinity College Dublin

12

Web 2.0

Trinity College Dublin

13

Web 2.0 Issues

Malware distribution via server compromise

With Web 2.0 there are many more servers in

play

Javascript fragment from

http://www.prolexic.com/zr/zombie_july_2007.pdf

Trinity College Dublin

14

Another Web 2.0 Issue

Javascript vulnerabilities

Subverting AJAX, Di Paola, 2006.

Overloading of XMLHttpRequest

AJAX applications depend on the security of

all the servers that load code

All earlier loaded code could subvert

Mashups will be as secure as the least

secure server?

Should have expected that I guess.

Trinity College Dublin

15

Internet-scale boundaries

Botnets

For-hire zombies mainly for spam

Blue Security & Estonian incidents

"The New Front Line: Estonia under Cyberassault,"

Lesk, IEEE Security & Privacy, July/August 2007.

Botnets might even represent a view of a

new Internet architecture

SAVA source address validation

Make IP source addresses accountable in the

same way that DKIM tries to make mail

originators accountable

Trinity College Dublin

16

Future Internet

GENI an testbed for future Internet

architecture research

http://www.geni.net/

Concept of slices

Slice = { CPU, disk, bandwidth, router x N

All nodes virtualised

GENI security model includes authentication

and authorization

Currently quite simple, but would have to

grow as GENI is built out

Trinity College Dublin

17

Above the Application Layer

Social Eng

USB Token (plus trojan) distribution in

smoking areas

15/20 devices retrieved

15/15 plugged in and called home via email

http://www.darkreading.com/document.asp?doc_id=95556

Trinity College Dublin

18

Risk Analysis and Boundaries

Standard risk analysis still applies

And is as necessary as ever

Threat models are very complex

Bad things can happen at so many places

Impact unpredictable

Widespread systems => news factor

Dependency on external systems

Moving targets

Trinity College Dublin

19

Attack Surface

Given that we don t really know how to deal

with such complex systems, can we reduce

risk anyway?

The attack surface of a system is essentially

the set of interfaces (or resources) offered

Seems sensible to try to reduce the attack

surface of the system

Generally arguing for simplicity

Trinity College Dublin

20

Relative Attack Surface

Generally one would need a metric to

evaluate attack surfaces

One could compare different versions of the

same system more easily

Maybe even different vendors systems

implementing the same standards

Problem: How to model systems

An Attack Surface Metric, Manadhata,

2005.

http://reports-archive.adm.cs.cmu.edu/anon/anon/2005/CMU-CS-05-155.pdf

Trinity College Dublin

21

(Tentative) Conclusion

Consider the various boundaries when doing

threat analysis

Try to reduce the attack surface in whatever

way you can

Maybe in a year or two, someone with

experience with APIs, could consider

standards for attack surface metrics?

Trinity College Dublin

22



Contact this candidate