the inevitability of failure: the flawed assumption of security in modern computing environments

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

presented by Toby

Introduction

IntroductionPremise1. Ppl be debating lots of security additions• without much talk about the operating systems

IntroductionPremise1. Ppl be debating lots of security additions• without much talk about the operating systems

2. Debates are flawed—assume that application level security can be attained• on current operating systems

IntroductionPremise1. Ppl be debating lots of security additions• without much talk about the operating systems

2. Debates are flawed—assume that application level security can be attained• on current operating systems

3. Current (err.. 15 year old) operating systems are inadequate• from a security standpoint

2 The Missing Link

2 The Missing Link• Mandatory Security• Trusted Path

2 The Missing LinkMandatory Security• Mandatory Security:• “...any security policy where the definition of the

policy logic and the assignment of security attributes is tightly controlled by a system security policy administrator.” –this paper• The user should have no influence over the security

policy• in theory

2 The Missing LinkMandatory Security• Example systems that should have Mandatory

Security:• access control• authentication usage• cryptographic usage

2 The Missing LinkMandatory Security• According to the big black box, Mandatory Security

has these general benefits:• Confinement of applications (from a security standpoint)• Lack of burden on individual users to manage security• Narrowing of bandwidth of channels for leaking private

information• Increased accountability of unauthorized private

information flow

2 The Missing LinkMandatory Security• Example of 1998 state of OSes• Windows NT:• Two security domains:• Complete Privilege• Complete Unprivileged

• Pretty coarse-grained

2 The Missing LinkTrusted Path• “A trusted path is a mechanism by which a user

may directly interact with trusted software, which can only be activated by either the user or the trusted software and may not be imitated by other software.” –this paper

2 The Missing LinkTrusted Path• “A trusted path is a mechanism by which a user

may directly interact with trusted software, which can only be activated by either the user or the trusted software and may not be imitated by other software.” –this paper

2 The Missing LinkTrusted Path• Example given:• Windows NT:• Trusted path given for stuff like password changing• But no means for extending to other trusted software

3 General Examples

3 General ExamplesAccess Control

4 Concrete Examples

4 Concrete ExamplesMobile Code• Mobile code probably meant something much

different in 1998• Here: Java• Mobile = portable• Does not equal iPhone

4 Concrete ExamplesMobile Code• Java (1998):• “not tamperproof or unbypassable”

• i.e. you can break boundaries of abstraction• depends on the application-space access control for

security• e.g. executables could be tampered with

4 Concrete ExamplesKerberos• Malicious software could spoof client-side

authentication• Need a trusted path to guarantee this can’t happen• Client’s password could be obtained

4 Concrete ExamplesKerberos• Malicious software could spoof client-side

authentication• Need a trusted path to guarantee this can’t happen• Client’s password could be obtained

6 Summary

6 Summary• No single security mechanism will be a solution to

security problems• but we knew that

• Modern (1998) computing threats cannot be addressed without secure operating systems• they were right

• Authors hoped to motivate interest in OS security• well, people are interested• don’t know if it’s their doing or not