Wednesday, June 30, 2004

USENIX '04: Dan Geer, Scott Charney, Avi Rubin: Debate: Is an Operating System Monoculture a Threat to Security?

Dan Geer, Chief Scientist, Verdasys, Inc.;
Scott Charney, Chief Trustworthy Computing Strategist, Microsoft Corporation
Moderated by Avi Rubin, Johns Hopkins University

*****

One line position summaries:

Dan Geer: In any ecosystem, diversity promotes health

Scott: Forcing diversity doesn't solve the problem

*****

Dan Geer:

Is in security by accident.

A computing monoculture is a danger on many levels.

Computing systems tend to behave like biologic systems; our metaphors reflect this. Understanding the natural world lends a better understanding our technological world. Examination of the genome shows that it's cheaper to keep everything than to prune what is no longer needed.

But is the biological, evolutionary cycle the only possible way to do things?

The minimum gene set is the core genetic infrastructure to make life work.

Immunity is biologically expensive. The more advanced the organism, the more immunity is needed.

The bigger & juicier the technological target, the more it needs to be defensive.

The only protection from this is isolation, but that leads to other problems -- it's not always feasible.

Hence, egress filtering is as important as ingress.

Spam has many similarities to an autoimmune disorder, as wanted ham is lost with filtered spam.

Some pathogens are opportunistic (AIDS), just like Nimda, Slammer, Witty, etc worms.

Microsoft itself is not immune to these vulnerabilities.

Herd immunity: if the herd is protected as a whole from epidemics, individuals can still be vulnerable.

Half life curve: vulnerabilities can never be patched with constant effort. Compare against immunization to the influenza virus.

Worst case disease: 100% infection, rapid spread, slow onset. We see such things in modern computer viruses.

Biological mutation is non-random [really??? --chd], and computer virus mutation is directed and strongly connected to selection processes. This accelerates the accumulation of mutations.

The e. coli in your gut is highly resilient, and much less "monoculture-esque" than it may seem. By reproducing at a 1% rate, it can replenish itself rapidly, and cannot be purged -- nor should it.

Puncuated equilibrium -- sorry, missed what he said here.

Microsoft is adding a plethora of features, but we can't ex post facto sprinkle security over all of these diverse components. Marcus Ranum gets this wrong -- he places too much faith in the diversity of Windows software.

TCP isn't a monoculture, just as e. coli isn't. If it were, the internet would have collapsed around us years ago.

Null hypothesis: lessons learned in the natural world apply to the computing world.

Therefore, following from the assumption that this is true (not a stretch), then yes a software monoculture is a massive threat.

Technical professionals are overwhelmed trying to defend computing targets.

The monoculture bets on the defence of unknown vulnerabilities; when they become known, they become a threat, but when they remain unknown, they can be ignored.

The Witty worm is a powerful example of the risks.

As with economiics, diversity isn't cheap -- true, but the risks are more expensive.

All monocultures live on borrowed time. Potato famine, boll weevil, Brazilian cocoa farmers, etc.

DAMN THIS GUY TALKS FAST.

*****

Scott

English / History major, public office in the Bronx, then a corruption agent for the Feds. For 8 years in the 1990s, he was [with?] the lead federal prosecutor for cybercrimes.

He feels that Geer oversimplifies the issue. Cisco, for example, is a big player that could be complained about; likewise, it isn't obvious how diversification would help the spam issue.

In prosecuting cybercrime, cases fell in three areas: confidentially, integrity, availability.

Gave example of a case where someone got a system account that tickled a system misconfiguration that caused a $.75 accounting error, but uncovering it revealed a Soviet espionage ring that would have lain dormant if the trivial monetary issue hadn't been investigated.

People attacking confidentiality of systems will not advertise their actions, because they want to exploit the asset over a long period of time.

In integrity attacks, as with confidentiality attacks, monoculture isn't really the problem and changing that won't really make the problem go away.

Southwest Airlines attributes their success to a monoculture -- they fly just one type of plane, so their maintainence issues are much simpler, any pilot can fly any plane, etc. Yes, this makes them vulnerable to a hypothetical FAA grounding of their one plane, but they accept that risk.

In analyzing cascading errors, he asserts that going to a 50/50 Linux / Windows world wouldn't necessarily break the monoculture. Its not hard to posit a broad attack intending to bring down the network couldn't either fork & hit both platforms, or be launched with two attacks in parallel.

Splitting from 1 to 2 dominant platforms doesn't mitigate the problem; you have to split into millions of platforms to have a statistically significant effect.

The goal has to be increase security, not break the monoculture.

In the early 90s as a prosecutor, he tried to talk the dominant vendors into taking security seriously, but they responded that the market was far more interested in features & usability; they all said to go away.

He feels that complexity is the enemy of security. We need to find ways to halt cascading effects, using our resourses in cost-effective ways.

*****

Question session:

Q-Rubin:
In terms of diversity, we have a handful of legit OSes in common use. What is the plan to promote diversity & how to account for the mutation tendency in natural systems?

A-D: Any time you have one system more than 50% (or possibly, 43%) of the ecosystem, the tendency towards system-wide failures increases drastically. Obviously, broadening the landscape is needed. Maybe we should spend some of the new horsepower on diversity (e.g. different instruction sets on every single machine) might be worth considering.

A-S: Diversity is needed. We're in early days of the third revolution of civilization (agriculture, industrial era, information) and we obviously have a long way to go. The markets are not designed to deal with these needs, but we still need a reasonable return on investment,

Q-Rubin:
If diversity won't help spam & similar viruses, what will help?

A-S: User education, technology, "don't open attachments", etc. But people won't do this, just as people don't all wear seatbelts. Software that prevents opening executable code etc will help too.

A-D: Attractive nuisance -- if a failure to protect your systems ends up being used by a third party allows someone to attack some other third party, there should be some culpability there. This is pretty much how spam is delivered today (attractive nuisance, force majeur, etc) and we can't allow the vendor to be blameless for allowing this to happen. Forcing ownership of culpability helps a lot.

Q;
There are OSes besides Windows & Linux, and Linux itself is quite diverse.
APIs should be made open & we can have a diversity of implementations.
The single most dangerous software ever written is Internet Explorer.

A-S: The antitrust decree does mandate the publication of APIs, but he doesn't think this will solve all the problem. Secure functionality wasn't a requirement when IE was written [really??? --chd].

A-D: The easiest way into any major app is to overflow its buffers -- this gets you past everything else. Hence, application interfaces are a bigger issue than system interfaces. Simple, well documented interfaces are a principle avenue to changing what is in place in the field

Q-Perry Metzger, co-author of Dan's paper:
Scott focused his talk on experiences as a prosecutor, etc -- not the real question. We all know that diversity won't fix everything, but S. mostly did not address the problem that a monoculture leads to.
Are you really going to assert that having all Windows machines makes anything safer from worm infestatijons?
Diversity isn't a panacea; but there are certain classes of problems it helps.

A-S: Having old, unpatched versions of Windows is bad. [no shit --chd]. Customers need to figure out where diversity will have the biggest positive gain in their environment.

A-D: Organizations need to decide how much they want to patch machines that are often, frankly, pirated. It's possible harden an environment in a way that makes it brittle, not tough -- Southwest Airlines is probably tough more than brittle, but that's a bet they're making. Absent leadership, what can individual enterprises do?

A-S: When considering what to do, enterprises need to analyze what forms of security will bring in the most effective results: auditing, firewalls, etc.

A-D: It's like catastrophe insurance. At some point it's a good thing that we don't all needed

Q-Dave Frisado, Google, to "Reverend Dan"
The biodiversity argument isn't apt. The computers aren't independent units like cells or organisms, with the capacity for immunoresponse. Diversity isn't enough to manage a lot of the problems they see -- a single remote Windows based attack can swamp their Unix servers & starve bandwidth. They had a diverse environment with multiple platforms & it still didn't help.

A-D: We're still at a primitive stage in evolutionary terms [Mr. Google agrees with this --chd]. Therefore, we have a long way to go. bandwidth throttling can help. [Dave asserts that this isn't the role of an immune system].

Q-???:
Informed heterogenity is the way to go, not forced. Hackers are blamed for the problems, not vendors that produced the flawed software. In a culture where it's assumed that someone else will fix it, where does the buck stop? How can we fix this?

A-S: Vendors have to reduce the number of vulnerabilities. The security push for Windows Server 2003 came after it was coded [damn, that was smart --chd], so it was admittedly too late to be really effective. Still, we have to keep at it. The need for backwards compatibliity prevents them from being able to have a clean slate rework of that which is known to be broken. If we've dug a hole that's so deep we have to start over, then how do we deal with that?

A-D: Regulatory compliance is the biggest motivator of change here, unfortunately. When compliance is proposed, how does industry respond? Poorly. The recent Sarbanes-Oxley act was all issues for IT personnel to address, and aside from this audience, no one cares about the issues it raised.

A-S: Microsoft's complaint with the recent national security policy was that it didn't go far enough.Security is a cost center, not a business enabler. The fact that it's a necessary cost is driving some change here.

A-D: ffffff

Q-???:
Monoculture by choice isn't so bad, but monoculture by de facto market compulsion is a risk.

A-S: I like choice. It's a good thing. Beyond that, it goes to antitrust issues and I can't discuss that.

A-D: Choice has to be such that defined interfaces are simple, stable, and they work

Q-Marcus Ranum, silly cowboy shirt:
Please comment on your targeting algorithm in going after Microsoft rather than the Intel instruction set, the browser monoculture, etc. Isn't this just another anti-MS rant?

A-D: Not at all. The data backs up his analysis.

*****

Scott -- closing remarks:

We have dug ourselves a big hole, and we need to think about security holistically. Increasing diversity will not necessarily solve our problems. We can do other things to be more secure, and we need to take those steps. Dan said that we're in a primitive state, which I agree with. The solution he wants is 50 to 100 years off, and we need to deal with today's problems today. We have to have actionable goals to make meaningful progress in order to bring a more secure environment.

Dan -- closing remarks:

Nature has without question shown that monocultures are a dying state or a last gasp. We must submit to nature's lessons. We have run all we can to stay in place. We realize now that amateur attacks obscures the actions of truly dangerous professionals. We are too interdependent to ignore these risks. "We have met the enemy and he is us."

*****

Straw poll: before the talks, the audience overwhelmingly took Dan's point of view. That only changed slightly by the end.

USENIX '04: Gerald Carter, Samba team: Deploying Samba

Gerald (Jerry) Carter, HP SAMBA team
http://www.plainjoe.org/
jerry@samba.org

Main development now is on Samba4

Samba 3.[125]


Samba 3.2:
full NT ACL compatibility
full SAM replication with NT 4.0 BDCs
i18n
NT privs
libregistry API
uses LDAP directories services for config
merge of RPC server infrastructure from Samba 4 (maybe)
better management tools


Samba 4:

Tridge started S4 to fix IBM filesystem needs, feeling a rewrite was needed
Nevermind the "official" CIFS draft -- they just copy what Windows does
extremely flexible, very robust client library (IDL for client layer)
They want to share IDL under LGPL (or similar) for Wine etc to use, while Samba itself will still be GPL
Able to run a single multiplexing TCP daemon for embedded devices
Also a threaded mode for those that want it, but still a forking model

Samba 4 is probably 24 months off right now.


Active Directory DC -- when will Samba be able to replace Active Directory?
* cross project: kerberos 5, ldap, ddns, cifs
* works remains: ms-cldap, new rpcs
* work continues, but the scope is unknown so there's no target release yet

Prospects for CIFS clients on UNIX
* IBM funded cifsvfs for linux 2.6
* OSX has native smbfs support
* possibility for interaction with hp, 'unix extensions' smb.conf,
* possibly an alternative to NFSv4
* however, MS wants to do away with CIFS in Longhorn...

Other Samba team activities
* cvs modules (lorikeet - interop patches), sangria (python framework for smb.conf management)
* huge bugzilla backlog


***** questions *****

Samba accounts really do have to map to Unix accounts. They tried doing without them, but the code got more confusing & difficult to maintain, and the gain was debatable, so they went back to requiring that Samba accounts have a traditional Unix UID.

Interop with Sun1 or IBM's LDAP directory server is messy -- things aren't as standard or compatible as they should be. Interaction with Novell's NDS is an issue open to discussion right now.

Password lockout support was included in Samba 3.0.3. The pdpedit command sets this policy. It does not require LDAP, but you need at least TDB SAM or smbpasswd. Patches related to this are pending.

TDB SAM deals with password database backends, which basically puts smbpasswd in a database with a single read, single write, very fast db engine.

Policy management. Workstation only; limits.
System policies are implemented as registry entries; group policy objects & priviliges aren't supported (yet). Much of this comes with AD support, whenever that arrives.

Domain Controller support is tentatively on the way for 4.0, but because the scope of the project isn't known he can't pin down when it will be available. He mentions that it has been done, at least as a proof of concept, but when Samba will be able to do it remains an open question.

Issue where cached versions of user profiles are accidentally being converted into backup profiles. Jerry suspects this is an issue with the security descriptor on that particular file, but he hasn't been able to pin down why this happens.

Samba supplies a suggest LDAP schema. For a new LDAP server, it makes sense to use there; other than that it isn't published anywhere.

The Apple OSX Server windows networking is provided by a forked version of Samba. Their changes have been published, but haven't been imported into mainline Samba (not seen as broadly relevant, e.g. hacks for NetInfo support). He doesn't really see any obvious issues with going with Apple for PDC serving, but thinks that Debian would be more flexible.

A guy asked about an office where first the servers & now the clients have all been migrated from Windows to BSD; should this person keep using the nice, reliable Samba server? Jerry says they don't need it in that case, and as a Unix to Unix protocol it doesn't really contribute much yet, especially as compared to how well tested NFS is. Long term, they would like to be an alternative to NFSv4, but they're not there yet.

USENIX '04: Security SIG, Avi Rubin et al: The Politicization of Security

This talk appears to be sponsored by krispy kreme, but WASN'T. Just so we're clear on that.

Moderator, Avi Rubin, JHU
Gary McGraw, Cigital
Jeff Grove, ACM
Ed Felten, Princeton

Rubin has no background in politics, but has had to deal with it while getting involved with e-voting.

Ed Felten's blog - http://freedom-to-tinker.com

Live chat blog: http://www.freedom-to-tinker.com/archives/000632.html#comments

*****

Diebold, by promising to deliver Ohio to Buh, put their agenda too front & center. Rubin tried to keep his politics out of the discussion on C-SPAN, but was called out as a democrat when a caller asked his politics and was told that he is a nonpartisian computer scientist.

The Congressional committees are polarized; he testified for the committee, then the democrats called him back to testify again when the republican leadership wasn't around. Eventually, the republicans wouldn't agree to let the meeting proceed and he didn't get the second chance to speak; maybe he will next month.

Washington has never been more politicized. CS geeks need to get involved & learn to speak to the wonks.

*****

Felten: it's false to assume that one side of the political spectrum will be more willing to help us than the other

*****

Gary McGraw

As computer scientists, we're vulnerable to the same risks that were faced by Galileo, Darwin, Oppenheimer, et al. before us.

Seucirt is a sensitive subject: in managing risks, individual rights are often trampled (DMCA, Patriot Act), and technology can compound this problem (Echelon, CSS).

A big budget does not imply good security (Java marketing, Windows, Diebold).

Full disclosure is an open question: Open, liberal societies let the public decide based on clear evidence; debate is healthy, attacks are necessary and in ways constructive.

*****

Jeff Grove

Has worked for the past decade as a lobbyist for technology issues.

Bad laws have made it through, and more are on the way. There are European cybercrime laws that are now being considered in the Senate; these laws need close scrutiny.

Laws under consideration now will have unintended consequences, with regulations of P2P networks spilling over to technologies like email, IM networks, etc. We don't want to risk letting non-infringing technologies to be suppressed by uninformed regulators in the government.

*****

Ed Felten -- "Fun with the RIAA"

Alex Halderman studied a DRM technology for CDs from a company called SunComm that could be defeated by holding down the shift key when inserting the CD (and for the 30% of people who turn off autorun, even that didn't work). SunComm threatened to sue, and Princeton management panicked, with SunComm pressuring the university to crack down on their researchers. Felten got the school to come around to why security research is valuable, and they now defend him.

Sen. Brownback & the broadcast flag that would limit the scope of legislation to decrypt encrypted television broadcasts. "It was clear that the entire thing was theatre." It was a chance for interest groups to send messages to each other, make speeches on the record, etc -- BUT NOT ACTUALLY DEBATE AND REACH A MUTUAL CONCLUSION. Everyone was too entrenched in their positions to reach any kind of concensus.

*****

General discussion

Rubin: In an era of soundbite media politics, an out of context remark can lead to getting both sides pissed at you. A remark that he didn't know if voting machines are vulnerable or not ended up getting both pro & anti e-voting people up in arms over his remarks.

Grove: The "all politics is local" bromide is relevant: you have more influence over local officials than you ever will at a national level, so leverage that.

Felten: the penalties mandated by laws like DMCA are draconian, but prosecutorial discretion is a useful counterbalance to such extremities.

*****

Questions:

The Slashdot effect can be useful: it brought unwanted attention to Michigan's "SuperDMCA", and brought 5000 letters on to SumComm executives.

Being open is obvious & conservative to scientists, but seems radical to politicians. We need to make it clear to politicians that this is sound, well-accepted reasoning. (Questioner: Matt Blaze -- the panelists all seem to know him.)

Getting involved at the local issue can encourage issues to "trickle up" to the state & federal level -- either by bringing national recognition to current issues, or by getting yourself known to people who will be players at higher levels in 10 or 15 years.

Nat Howard really wants USENIX attendees to know about his site, stupidsecurity,com. Two mentions so far!

Rubin: Getting the League of Women Voters to add a one line comment about "auditability" to their policy statement was perceived in the press as drastic policy change, even though that wasn't their intention. In any case, this was effective & appreciated.

Perry [...]: In dealing with the press, the most frustrating useful advice is "DON'T BE COMPLICATED." Don't give them room to misinterpret nuanced points, don't give them room to take comments ouf of context. Handouts reinforcing the official version of your point of view are also effective reinforcement.

USENIX '04: Bruce Schneier Q&A session

* security theatre & threat assessment need to bee kept in mind
most threats are exaggerated; most attackers aren't that competent

* education is a big issue
schneier's mom will never, ever get internet security. (when she calls for tech support, the first thing they have her do is turn off her firewall, but they never actually remember to turn it back on when they're done with the call.)

* it's important to ask what a countermeasure is supposed to accomplish
why shut down the roads? does it keep truck bombs away? no, it just causes them to get poorer gas mileage on the way to their target. so what?

* it's important to manage risks & choose countermeasures that are actually efficient
banning taking photos in NYC is silly; getting people to report abandoned packages makes some sense

* how can we push for smarter policies? who can we talk to?
schneier tries to push for rational, nonpartisan debate. "we're fighting a holding action." we're probably stuck with dumb security for at least the next decade, but somehow not expecting to be able to win the debate makes him more assured.

* stupidsecurity.com admin: when rational debate fails, does browbeating & insulting dumb security make sense? he obviously thinks so, and schneier said it was a good website

* passive resistance is worth considering; get your peers to be aware & speak up with you

* some targets are worth heightened security efforts
the questioner seems to give conventions as a positive example; schneier cites airlines as another

USENIX '04: Bruce Schneier, Thinking Sensibly About Security in an Uncertain World

no powerpoint!

security is always a tradeoff

we are all security consumers, but are we getting a good deal on our investment?
* bulletproof vests are not worth it for most of us
* locking hotel door
* eating at starbucks

humans do security tradeoffs intuitively -- in fact, all animals do

on the other hand, we don't always make the right tradeoffs

the perception of control leads to a a lessened sense of risk, even when this is false
* we feel safe in cars, but not planes, when the opposite should be true

(ignore the news -- if the events they show were common, it wouldn't be news)


Technology obscures risks


Any security decision involves players / stakeholders
they have their own perspectives, needs, agendas

the boston DNC tradeoffs make no sense, but city officials are happy with the tradeoff & terrified with the risk -- the people making the tradeoff aren't the ones inconvenienced

the military officials that authorized shooting down flight KAL007 did so because the last time a plane violated soviet airspace, that general went to jail; for this guy, shooting down the plane was better than jail, so he gave the order

average people have no incentive to find counterfeit currency

likewise with police, airline security, etc

schneier yesterday had an argument over getting around having his photo taken by building security in order to have a meeting at a downtown company. neither the VP he was meeting nor the boss of the security agent was able to bend the policy to let him in; eventually the security boss's boss found an "exception" to the mandatory photos rule, but said schneier was the first person to exercise it


we often don't think to exercise our leveraging power when making security negotiations

brilliant security countermeasure: "your purchase free if you don't get a receipt" -- it gets the customer involved as a stakeholder in the security equation in order to discourage employee theft


we need to accept risk; this may not be hard for usenix attendees, but it's frightening to most people

basic tradeoffs make sense, but diminishing returns kicks in quickly

consumers have all the power, but we don't think to exercise it -- WE SHOULD!

USENIX 2004 Boston today

Just got to the USENIX 2004 Boston Technical sessions.

GL employees are here, we met up with Darren Chamberlain from Boston.com, and I finally got a copy of the Using GCC manual I edited last summer from the nice FSF people :-)