The Enemy Has Surrounded the Castle— Is It Time to Develop a Plan? Dr Charles P Pfleeger CISSP [email protected]

The Enemy Has Surrounded the Castle—Is It Time to Develop a Plan?

Dr Charles P Pfleeger [email protected]

04/18/23 The Enemy is at the Gates 2

The Enemy at the Gates

Status of the security field todayProgress of the last three decadesPrognosis for the futureA planConclusions

© 2003 Charles P Pfleeger


Information Security Today

InfrastructureSystemsApplicationsPeopleUsers


Critical Internet Threats

SANS Institute:1. BIND/DNS weakness, root compromise2. Vulnerable CGI programs3. RPC weakness, root compromise4. RDS flaw MS Internet Info Server (IIS)5. Sendmail and MIME buffer overflows6. Sadmind and mountd buffer overflows7. Global file sharing vulnerabilities in NT, Unix

NFS, and Macintosh Web sharing8. UserIDs with weak (or no) passwords9. IMAP and POP buffer overflows10. Default SNMP community strings unencrypted,

weak


Common Themes

Buffer overflows and other coding errors

Insecure initial configuration, defaults, and administration

Privilege compromiseProtocol weaknesses


Malicious Code Events approx 1983: first virus

today, one anti-virus tool manufacturer reports protection against over 50,000 strains

1987: C. Stoll’s attacker in The Cuckoo’s Egg 1988: Morris worm 1992+: Kevin Mitnick 1994: first Microsoft Word virus late 1990s: web site defacements

New York Times, H-P, Compaq, Alta Vista, eBay, Int’l Girl Scouts, …

2001: Code Red, NIMDA 2002: Melissa, ILoveYou 2003: Slammer, sobig.f


Code Red Virus 19 June 2001: initial flaw

report; patch posted a few days later

13 July 2001: initial attack; slow spread for first few days

Estimated effect: 750,000 servers affected 12.5% of servers

worldwide 400,000 after 1 Aug

2001 >$2 billion US to clean

up

At least four variants Structured buffer

overflow in Microsoft IIS

Components: web site defacement Trojan horse for later

control distributed denial of

service


NIMDA, Melissa, Slammer, …

Standard attack componentsCompromise mechanismPropagation mechanismPayload

Massive effectLarge number of affected systemsWidespread infectionMuch wailing and gnashing of teethPublic attention/concern short


IIS 4.0 Security Patch History

14 May 2001 Windows NT4 Security Patch: Superfluous decoding operation could allow command execution via IIS

29 Jan 2001 Windows NT4 IIS4 Security Patch: File Fragment Reading via .HTR Vulnerability

21 Dec 2000 Windows NT 4.0 Security Patch: Malformed Web Form Submission Vulnerability

20 Nov 2000 Windows NT 4.0 IIS4 Security Patch: Web Server File Request Parsing Vulnerability

2 Nov 2000 Windows NT 4.0 IIS4 Security Patch: IIS Cross-Site Scripting Vulnerability

23 Oct 2000 Windows NT 4.0 IIS4 Security Patch: Session ID Cookie Marking Vulnerability

24 Aug 2000 Windows NT 4.0 IIS4 Security Patch: Cross-Site Scripting Vulnerability

13 Jul 2000 Windows NT 4.0 IIS4 Security Patch: Absent Directory Browser Argument Vulnerability

11 May 2000 Windows NT4.0 Internet Information Server 4 (IIS4) Security Patch: Malformed Extension Data in URL

10 May 2000 Windows 2000 IIS4 Security Patch: Undelimited .HTR Request and File Fragment Reading via .HTR

11 Apr 2000 Internet Information Server 4.0 (IIS4) Security Patch: Myriad Escaped Characters Vulnerability

20 Mar 2000 Internet Information Server (IIS) 4 Security Patch 4.2.739.1: Chunked Encoding Post Vulnerability

24 Feb 2000 Internet Information Server 4.0 (IIS4) Security Patch: Virtualized UNC Share Vulnerability (Intel)

20 Jan 2000 Internet Information Server (IIS) and Client Web Capacity Analysis Tool 4.35

7 Dec 1999 Internet Information Server 4.0 (IIS4) and Site Server 3.0 Security Patch: Virtual Directory Naming

6 Dec 1999 Internet Information Server (IIS) Security Patch 4.2.732.1: Escape Character Parsing Vulnerability

18 Jun 2001 MS01-33 Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise


Common Themes

Numerous security patches—”penetrate and patch” returns

Patching, administration, maintenance moved to end user

Defender needs complete protection; attacker needs only one vulnerability

Fragile community, infrastructure: devastated by simple attack


What Do Users Expect?

Functionality, Functionality,

Functionality More, better,

faster, sexier Security Implemented by

“fairy dust” For free


What Do Users Get?

System crashes— no apparent cause, seemingly random times

Vulnerability patches of unknown content

Few choices


Last Three Decades’ Progress

Milestones in information securityProgress


Information Security Papers 1969-W. Ware and 1972-J. Anderson panels:

need an organized approach to security 1975-J. Saltzer and M. Schroeder: secure

system design principles 1979-R. Morris and K. Thompson: password

security case study 1984-K. Thompson: potential effect of an

embedded Trojan horse 1989-S. Crocker and M. Bernstein: ARPA-

DARPA-Internet disaster causes(references at end)


Results: New Ideas

Operating systemsMultics, KVM, PSOS, KSOS, SE-VMS,

SCOMPUnix (and Linux)Windows NT/2K, 98/ME/XP

NetworksVerdix LAN, Boeing SNSTCP/IP, Novell IPv6 with security features… still in the

future


Results: Old Ideas

Firewalls Implementation of “reference monitor”

concept of 1972Virus scanners

based on 1970s pattern matching reseach

VPNsan outgrowth of military cryptography

Intrusion detection systemsbased on 1985 research


Evaluation: User’s and Trust

Criteria: US (‘83), Canada (‘87), UK (‘89), Germany (‘89), ITSEC (‘91), US Federal Criteria (‘93), Common Criteria (‘94)

Status Scheme with mutual recognition Dozens of evaluated products US (military) encouragement

Evaluation limited: scope, time, depth Not a major market differentiator


Who is Ahead? 50,000 virus and

malicious code strains >600 million Internet

users (not all of whom are malicious)

<10,000 certified information security professionals--SANS GIACs and CISSPs (plus many professionals who are not certified)

US$6.7 billion worldwide market for security services; growing to US$21 billion by 2005


Today’s Key Problems

Buffer overflow Interface failuresPasswordsTime-of-check to time-of-useUnintended side effectsHard to understand controlsUser awareness, understandingAll problems from 1970s


Frank Assessment Flaws and flawed

products are increasing faster than the security community

Attacks and attackers are getting nastier

We [the good folks] are slipping farther and farther behind

Spending for security and security research is increasing far more slowly than the threat


Research: Who Funds What

Company: products and technologies Firewalls, PKI solutions, IDSs, authentication

devices, etc.

Consortium: members’ interests Protocols (IPv6, LDAP), standards (CORBA), APIs

(crypto, access)

Foundation: public interest Ethics, privacy (ACLU, recording industry)

Government: long-term, conceptual Technology (Internet, formal methods), Problem-

solving (secure OS)


Research Needs Self defense Domain

confinement Trust, assurance Software “plug

and play” Software fault

tolerance Identity

management Patch approach


Self Defense

ProblemPatches, mobile code, distributed

applications, client-side functionalityUnknown origin, quality, action

Known approachesSigningConfinement


Domain Confinement

ProblemLimiting harmful effects of untrustworthy

code

Known approachesSandbox (Java)—softwareHardware-enforced separationDomain type enforcement


Trust, Assurance

ProblemBasis for trust between unknown partiesMetrics for trust and assuranceAlgebra of trust: good + very good = ?

Known approachesEvaluation schemesTestingE-mail: PGP vs PKIScreening (firewall), trial period


Software “Plug And Play”

ProblemLittle “genetic diversity,” component

substitutionDesire to substitute high assurance

component for factory default

Known approachesSoftware engineering, modularity, APIsReverse engineering


Software Fault Tolerance

ProblemOversights (buffer overflows) undetectedFailures produce catastrophic results;

software does not detect and protect (isolate, recover)

Known approachesSoftware engineering: reviews, testingTraining: trustworthy computing initiativeHard to do for system composed of many

parts


Identity Management

ProblemContinuous I&A for distributed systemApplication-level authenticationBasis for authentication of previously

unknown partiesProcess acting on behalf of individualUsers want “single sign on”

Known approachesLocal I&A, remote authentication (one-

time), encrypted channels


Patch Approach

ProblemNever-ending check for patchesPatching can introduce errors, break

other code (“If it works don’t fix it”)Responsibility on naïve end-user

Known approachesTelephoneAutomatic update


Problems with Research

Research is hardEasier to find one flaw than prevent all

Results are not easily acceptedEase of useCost of securityLittle user demandTime-to-market


From Earth to Moon US/USSR space race International priority Large investment Attracted bright,

dedicated people Interdisciplinary Some setbacks, but

many, very visible successes; spin-offs

Some national defense value but much non-military

Not essential to world


Conclusions

Rich history of research results

Much of best work done in ’70s-’80s

Interesting challenges

International problem

Money needed, but comparatively little


A Final Word …


References Anderson, J., “Computer Security Technology Planning

Study,” U.S. Air Force Elect. Sys. Div. Tech. Rpt. 73-51, Oct 1972; also http://csrc.nist.gov/publications/history/ande72.pdf

Crocker, S. and Bernstein, M., “ARPANET Disruptions: Insight into Future Catastrophes,” TIS Report #247, TIS Labs at Network Associates, 24 Aug 1989. No URL

Morris, R. and Thompson, K., “Password Security: A Case History,” Comm. of the ACM, Nov 1979.

Saltzer, J. and Schroeder, M, “Protection of Information in Computer Systems,” Proc. of the IEEE, Sept 1975.

Thompson, K., “Reflections on Trusting Trust,” Comm.. of the ACM, Aug 1984.

Ware, W., “Security Controls for Computer Systems,” Rand Corp. Tech. Rpt. R-609-1, 1970 (reissued 1979); also http://www.rand.org/publications/R/R609.1/R609.1.html

Documents

The Enemy Has Surrounded the Castle— Is It Time to Develop a Plan? Dr Charles P Pfleeger CISSP [email protected]