This document summarizes William Cheswick's talk on computer security. Some key points: 1) Current security practices and technologies are not working well, as evidenced by constant data breaches and malware infections. Cheswick argues the status quo is "lousy" and we need to try harder. 2) Cheswick believes computer security can "win" by building platforms that cannot be compromised through user error alone. The goal is computers users can safely use without training. 3) Specific engineering goals are proposed, such as a "rock-solid client", trustworthy hardware, usable crypto, and reasonable expectations of results. The security of Grandma's computer is prioritized.

1. 1
Pullman Auckland
MONDAY, 9TH MARCH 2015

2. William Cheswick
Visiting Scholar, U. Penn.
Computer Security: I think we can win!
2

3. of about 100
Introduction
• Some things that aren't working
• What I mean by winning
• Engineering goals
• How we might attain them?
• Who are you gonna call?
• Conclusion
3

4. of about 100
Bad signs
Things Aren’t Working Well
4

5. of about 100
Massive data spills
• Credit cards
• TJX, Target, Home Depot, Chase, etc.
• Passwords
• Rockyou, Facebook, Twitter, Linkedin, Google, Adobe, SnapChatDB, EverNote,
Stratfor, …
• Movies, email, etc. (Sony…)
• Major data spills all the time
• I have to check the morning news before I give these talks
5

6. of about 100
Bad Signs
• A visit to grandma
• Virus checkers
6

7. of about 100
Wrong track: virus checkers
• Virus checkers
• Forget the halting problem (solution: ^C)
• Like running background checks on homeless people living in your
bedroom
• StackGuard and similar technologies
• hobo-resistant rugs and furnishings
• Don’t get me wrong: we need these, for now.
7

8. of about 100
Not working: checklists and audits
• Checklists certainly will catch oversights, but you are not
secure when you are done
• PCI audits have missed major, embarrassing intrusions.
• Alas, these are often the response to our endemic
problems.
8

9. of about 100
Not Working: Best current practices
• Perhaps gives legal cover
• Can we actually even do any better?
• Effective solutions seem to be too invasive, too intense
• not good for business
9

10. of about 100
Not working: Laws, General and Specific
• General: nice guidelines, but exactly how much protection
does HIPAA demand
• Specific: see ChecklistsI, above
• Liability: who will be left to write any software if you
demand full liability?
10

11. of about 100
Not working: Things we ask users to do
• Don’t click on attachments, especially of unknown origin.
• Pick an unmemorable password for each of dozens of
sites, and don’t write them down.
• Remember our particular password rules
• Don’t go to bad URLS, e.g. micros0ft.com
11

12. of about 100
Not working: user education
• They don’t (can’t!) understand the complexities of the
computer and making the right decisions.
• Even the experts generally lack all the information needed
to make the fully-informed choice.
• Even if you do know what you are doing, we all use
computers when a little tired sometimes.
12

13. of about 100
Not working: strong passwords
• Forty years of research and experience show that people
can not select and remember a passphrase that is
resistant to a full-blown dictionary attack; and especially
not different ones for dozens of different sites.
• More poor engineering: it just doesn’t work by itself, and isn’t
needed when used with the right authentication tools.
13

14. of about 100
Not working: PKI
• The trusted CA list is way out of hand
• Major attacks find ways around this. Stuxnet, others.
• Try CertPatrol on Firefox to see what is going on
• (Actually, this is a cesspool. Certificate Transparency or similar
efforts?)
14

15. of about 100
Not working: perimeter security and firewalls
• 100,000 hosts is too many to protect
• 40 is about right, for me
• Typical company has 1—2 IP addresses per employee, as
of 2006
• in one case: 5,000 firewalls, with 5,000 rules each?!
• Firewalls: low grade security. Perimeter defenses are easily
penetrated, and that is probably not going to improve much.
15

16. of about 100
Not working: back doors for maintenance
• sendmail in the 1980s
• Passwords into network devices, printers, etc.
• Intel’s SMM, for starters
• Ask your telco folks about widely-known passwords
16

17. of about 100
Failed sandboxes/OSes
• Java - supposed to fix all this in the 1990s
• defeated by native methods
• Operating systems: fighting malicious users since the
1960s
• Many of the lessons have been ignored
17

18. of about 100
Not working: legacy problems and software
18

19. of about 100
The tyranny of legacy systems
• We can’t rewrite this, it’s our whole business, and our
customers rely on it and want enhancements.
• (this started as a good system)
• Case in point: Cisco IOS. You can name a bunch more.
• Successes….
19

20. of about 100
What is the current state of affairs? Lousy!
• Spies are all in our business
• Huge advantage to the attackers
• Crappy client operating systems
• leaky sandboxes
• feature-driven forces poor security choices
• A visit to grandma's house
20

21. of about 100
Apparently, governments aren’t doing too well,
either
• Numerous attacks on .mil
• Citizen hackers
• Insiders: Snowden, Assange, etc.
21

22. of about 100
Stuxnet and Snowden: a peek at the spooks
• Stuxnet: I never dreamed we would learn about it
• Lots of careful, hard work, but mistakes happen
• No real technical surprises: just a lot of hard work
• The spooks have the same problems we do:
• USB sticks, excessive monitoring is counter-productive
• Intellink: Maintaining enclaves
22

23. of about 100
The dog that hasn’t barked
• NSA might be best funded, but certainly isn’t the only
group with similar capabilities.
• There are disincentives to publicize most break-ins
• Evil thoughts: email monitoring can yield M&A information,
blackmail. For congressman, blackmail big time, esp.
phone records.
23

24. of about 100
Sick and Tired
• APT are not Advanced, but certainly Persistent and
Threats
• Most of the attacks are on the same kinds of weaknesses:
we are not making much progress
• Consarn it, I am becoming an old timer!
24

25. of about 100
Things are going to get better
25

26. of about 100
Why?
• It is early in the game
• We haven’t been trying very hard (!)
• We can spend a lot on generating, testing, and verifying
software, then distribute it for free and have strong
assurances that we got what we we supposed to
• They are our computers, our software, and our networks.
This home-field advantage should be very daunting for
attackers.
26

27. of about 100
It’s Early in the game
27

28. of about 100
The car metaphor
• I didn’t like it: apples and oranges
• Now I do: grapes and raisins
• Consider the Ford Model T:
28

29. of about 100
Ford Model T (1913)
• 20 hp
• ran on gasoline, kerosine,
and ethanol
• rear wheel drive
• two speeds, plus reverse
29

30. of about 100
Ford Model T (1913, cont.)
• grey, green, blue, and red
• 1909–1913; Not black!
• 1913 model (shown) was $550
• four months pay for an assembly line worker.
• Now, with Electric start!
• Modern UI was at least three years away
30

31. of about 10031

32. of about 10032

33. of about 100
Some old-timey auto stuff
• Fading terms: choke, “flood the engine”, vapor lock,
double-clutch
• friction point
• My mother had a car you had to back up steep hills
because there wasn’t a fuel pump
• First seat belts (two-point) common in mid-1960s
• “Safety third” —-Mike Rowe
33

34. of about 10034

35. of about 100
It’s not the driver’s fault if the engine catches fire
• This is an engineering problem.
• We don’t accept most company claims that it is the
driver’s fault.
• “Sudden accelleration events” do seem to involve the
driver hitting the wrong peddle.
• Poor design killed John Denver
35

36. of about 100
You don’t have to be a mechanic to drive
your car, and you shouldn’t have to be a
security expert to use your computer safely.
36

37. of about 100
Long view: it is still early in the computer
revolution
• I know, I know, we aren’t talking UNIVAC or “minicomputers”
any more.
• Moore’s law has gone a very long way.
• The order of things: make it work, then worry about security:
(It Works!)
• rlogin, NFS, X windows, MSFT before 2001.
• But look where we are in UIs: I thought we might get stuck
with MSFT menus, like the QWERTY keyboard
37

38. of about 100
Still early in the computing game: terminal or
desktop?
• Mainframes (Roosevelt)
• Timesharing (Kennedy)
• Minicomputers (Kennedy)
• Workstations (Reagan)
• Client/server
• X terminals and Plan 9 (Reagan)
• Palmtop (Clinton)
• Cloud computing (Bush 43)
38

39. of about 100
UI?
• Tired of listing them, but pinching/tapping/sliding is only
about 10 years old
• Microsoft is migrating away from their awful drop down menus!
• Good UIs are part of the solution
39

40. of about 100
What do I mean by “winning”
40

41. of about 100
This is going to get better
• I love living in the future
• Velcro, 12-hour nasal spray, surgical “lasers”, routine rockets to
LEO, astonishing computers
• Sick and tired of computer and network security problems
• Hacked for CPU seconds!
• Already a lot of good security work done
• Time sharing, Multics
• Spooks
41

42. of about 100
What Does Winning Look Like?
• Locks in London
• Spiral dives and the artificial horizon
• Vaccines: Rinderpest, Smallpox(?), Polio(?)
• Hotel room doors
• Analog phone cloning
• ATM cards
• Automobile keys
42

43. of about 100
What winning looks like
• You must be present to win.
• No more need for training about clicking on bad things
• More non-IT time with grandma.
43

44. of about 100
I think we can win
• Meaning build an affordable computing platform that can’t
be compromised by any user error not involving a screw
driver
• Its our hardware, our software, and our network
connection. We ought to be able to control it, dammit!
• Winning doesn’t mean that your machine can’t misbehave
on the Internet
44

45. of about 100
Winning Doesn’t Mean It’s Perfect
• It never does: there is no such thing
• Winning means good enough
45

46. of about 100
Actually, it is already getting better
• Mellissa? Blaster? Weak network services seem to be
hard to find.
• Software “annealing” and sendmail(8)
• It’s not so much about script kiddies any more.
46

47. of about 100
Some Engineering Specifications Needed for
Winning
• A rock-solid client (Windows OK?)
• Hardware worth of our trust
• Usable crypto
• Reasonable expectations of the results
47

48. of about 100
Design goals for Grandma’s computer
• There’s nothing she can type, tap, swipe, or click on that
will change the software she is running, or change her
trusted computing base.
• There is nothing a remote attacker can do to her computer
without having physical access to the hardware. And
maybe even that is hard work.
48

49. of about 100
To me, this means…
• Static, signed trusted software, possibly not upgradable(!)
• A rock-solid, proven sandbox that we can run alien software
in, particularly HTML5, Java, and Javascript.
• Alien software can be ably and reliably contained and run in a
sandbox that preserves all of the above guarantees.
• The software she runs can be reliably ascribed to a particular
vendor, and that vendor can be confident enough to be willing
to assume significant liability for misbehavior of that software.
49

50. of about 100
Design goals for Grandma’s computer (cont.)
• Grandma has clear indications when she is surfing the
web off of well-defined paths on the Internet.
50

51. of about 100
We have an old-fashioned name for this kind of
software
• It is called an “operating system,” and back in the Nixon
era, we were designing them with these properties in
mind.
• Rapid growth, market forces (that’s you), vast legacy OS
designs that missed the point (VMS -> Windows ->
Windows NT -> …)
• It appears that a vast army of volunteer programmers is
not capable of making small, simple, clean designs.
51

52. of about 100
A solution for 70% of the client machines?
• Grandma
• Employees
• Students
• Troops? (MIL-spec for all!)
52

53. of about 100 of about 106
A note on Grandma
53

54. of about 100
Purchasers
• Ask for/insist on reliable machines for your 70%
• Replace legacy stuff with easily-upgraded stuff, when
possible
• Assume you are being watched: what would that look
like?
• Go check.
54

55. of about 100
Target users for this computer
• Grandmas, for large values of grandma
• Most employees and regular computer users
• Most military clients. Grandma could run Milspec.
• Maybe 70% of the market?
• Not gamers.
55

56. of about 100
Hardware worth our trust
56

57. of about 100
“Security people are paid to think bad thoughts”
• — Bob Morris
57

58. of about 100
Security paranoia
• We live in a dark world.
• A lot of thoughts are dismissed as “theoretical”
• But they end up showing up, eventually.
• Here are some examples
58

59. of about 100
Intel’s SMM mode: lurking insecurity
• Been around since the Intel 386. A separate, protected
“maintenance mode”.
• It has always worried me.
• A major player in the the list of specific attacks mentioned
in the Snowden releases.
• The star of several security papers.
59

60. of about 100
Pentium complexity
• Rings 3 and 0
• System Management Mode*
• Virtual machine interface
• Microcode?!
• How bad can a compromised CPU be?
60
* Duflot, Loïc, Daniel Etiemble, and Olivier Grumelard.
Using CPU system management mode to circumvent operating system security functions.
CanSecWest/core06 (2006). http://cs.usfca.edu/~cruse/cs630f06/duflot.pdf

61. of about 100
Usable crypto
61

62. of about 100
Usable, trustable crypto
• Johnny still can’t encrypt
• Cryptology is the really hard part
• I think society needs to make a firm choice, and make the
spooks follow.
• We still can’t prove a crypto protocol secure
• “Crypto is a field of endeavor where we hope there won’t
be progress.” —-Matt Blaze
62

63. of about 100
Reasonable expectations
• People will always be able to fool some of the people
• Don’t forget the three B’s: burglary, bribery, and blackmail.
• Any public service can be hit with denial-of-service attacks
• Attribute is going to continue to be a problem, because
the Internet connects to all the bad neighborhoods.
63

64. Lessons, and things
that worry me
64

65. of about 100
Better than passwords
• Both are much better than passwords
• SNK-004 used symmetric key, known only to device and
server
• PIN known only to device
• SecurID’s key known to device, server, RSA
• SNK was an ε better
65

66. of about 100
ε had a large value
• RSA break-in caused major attacks on a government
contractor and others
• RSA had to reissue fobs
• All of this was because they relied on a (successful)
business model that had a security weakness.
• RSA is not a slouch in the security business.
66

67. of about 100
“The best is the enemy of the good”
• A call for mediocrity in the name of getting something
done.
• Don’t flatter yourself that your efforts are “good”.
• Also, from Soul of a New Machine, “Not all jobs are worth
doing right.”
• This leads to…
67

68. of about 100
Aspects of Virtual Machines worry me
• The kernel/hardware interface is not a natural security
perimeter
• The trusted kernel (DOM0) is generally huge
• Co-resident VMs may leak data, and there are papers
demonstrating this
68

69. of about 100
Aspects of Virtual Machines worry me (cont)
• It seems very hard or impossible to hide the VM’s
activities from the supplier
• Homomorphic encryption is a rat-hole:
• never efficient if even possible
• opens algorithms to a whole new field of attacks similar to traffic analysis
• The virus guys are already doing this, a bit.
69

70. of about 100
Cloud computing
• Clearly there is a use for bulk computing
• Netflix is the best example: high volume, low security
• Security is going to remain an issue
• See VMs (above)
70

71. of about 100
Shared libraries seem like a bad security idea
• You can change a program after it is installed
• A checksum of a binary does not ensure that it is the
same program
• Makes installation in chroot(8) environment more difficult,
and requires extra crap in that envinroment.
71

72. of about 100
Not working: shared and dynamic libraries
• “sshd day zero bug” in 2013 was shared library replacement attack.
• Long history of similar attacks
• implemented to save memory and load time back in the days of
small memory and the X window system
• not worth it
• Make all your binaries static!
• Ditto DLLs
72

73. of about 100
New car troubles: we aren’t learning
• Note: cars now need the second kind of firewall
• Attacks on the CANBUS (It Works!)
• attacks through Bluetooth, evil mp3 files, etc.
• web search for “CANBUS security”
• Tiffany Rad
• Here we go again
73

74. of about 100
Long upgrade chains
• Linus -> ….
• -> ubuntu/redhat/… -> ….
• -> raspberry Pi
• -> DSL modems, routers, printers, wireless base stations
• -> onboard aircraft entertainment systems
• -> travel information displays in airports, subways, etc.
• -> thermostats, refrigerators, etc.
74

75. of about 100
Long upgrade chains (cont.)
• Microsoft -> Windows n ->
• -> office workers
• -> utility machines
• -> FDA -> medical devices
• -> thermostats, refrigerators, etc.
75

76. of about 100
Upgrade chains (cont.)
• Some really ancient system running to dead operating
systems modified by people who retired fifteen years ago
->
• -> that vital, irreplaceable controller on the factory floor
that still has fifteen years left on its depreciation schedule
76

77. of about 100
Good news, everyone!
• Apple pretty much got out of this business.
• Upgrades are very easy and widespread
• They had to rewrite their operating system for the Mac
around 1999
• iOS had some great security ideas built in, perhaps the
most important:
• an app can’t mess with another app’s stuff
77

78. of about 100
Layers are good
78

79. of about 100
Some crappy layers
• Your firewalls to the Internet
• Your employees
• Whatever special arrangements your CEO might have in
place
• Any Microsoft operating system
• Your physical security
79

80. of about 100
Who are you gonna call?
80

81. of about 100
Who Are You Gonna Call?
• Hyper-careful industrialists
• Dean Kamen (insulin pumps, wheelchairs)
• Elon Musk (rockets, cars)
81

82. of about 100
Government policies
• Mandate “no back doors”
• Allow/encourage data sharing about attacks
• buy safer computers
82

83. of about 100
Microsoft?
• They certainly turned around in 2001
• Vista and Win7 appear to be vastly more secure than
Windows XP
• This was a huge job. I don’t know how much of the legacy
problem they solved.
83

84. of about 100
Windows OK
• There is nothing you can click, tap, or say that will corrupt
your computer.
• It should be intuitively obvious when you are not visiting a
Fortune 500 web site, or a place you have never searched
before.
• Offers standard services
• It could meet the specs for this dream system.
84

85. of about 100
Do we have this already?
• Jeff Jones (MSFT) said Win 7 was much safer than
corresponding Linux
• Maybe Win 8, too
• Seems like an awfully large hunk of software to declare
victory, and maybe they haven’t.
85

86. of about 100
Apple?
• Macintosh redesigned in late 1990s, on FreeBSD
• Vastly improved, big market success. Does have legacy software that
lagged for a while.
86

87. of about 100
Maybe iOS...
• Certainly Apple tried hard to design security into iOS, and
they had a fresh start, sort of
• App isolation and app walled garden were key security
goals.
• How can we tell? Measure security…
87

88. of about 100
iPhone authentication
• The iPhone looks like a nearly ideal solution
• It is nearly always with us
• It has enough CPU power for strong crypto
• Various sensors are suitable for biometric identification and
authentication
• Location information is readily available
• It seems to be somewhat resistant to attacks.
88

89. of about 100
Apple security?
89

90. of about 100
Apple security?
• I love these devices, so I learned Rejective C and usually
follow their UI advice slavishly.
• NextStep is from the late 1980s, which is okay in itself, but
• retain count stuff went away (mostly) only a couple years ago when
ARC came
• It’s not just my software that crashes
90

91. of about 100
Apple security?
• I don’t see how anyone can have confidence that their
non-trivial program is correct in this system.
• AND…they get jailbroken as soon as there is a new
release. This is not a good sign.
• My best bet for the most secure clients at the moment, but
it is scary
91

92. of about 100
This just in about Apple
• Forensics experts tell me it is getting harder and harder to
jailbreak new Apple iOS releases
• Annealing in action
• A good sign
• But: hackers report secret protocol options and perhaps
back doors.
92

93. of about 100
Google
• A lot of efforts in important areas, with security on their
mind:
• Android
• Chrome
• Chromium
• and go (a nice language)
93

94. of about 100
Android
• Android is the regular and systematic target of security
research papers, probably because it is much more
accessible than iOS.
• As for the apps: “the problem with folk songs is that they
are written by the people.” — Tom Lehrer
• It is also the basis for some brand new attempts at secure
clients, like Boeing Black.
94

95. of about 100
Other players
• Any of these companies could start over, and maybe
some should
• A basic operating system has approximately a $0 billion
startup cost.
95

96. of about 100
Academic and other research groups
• Small teams have produced very interesting operating
systems, and I bet small is going to be an important part of
the answer. Some examples:
• Plan 9, Minix 3
• Peter Neumann, DARPA CRASH program: clean slate redesign from
hardware on up.
• The military has a strong interest in this, and even in
disseminating the solution
• c.f. Linux SE
96

97. of about 100
I think we can win
• It is our hardware, and our software
• There is no law of physics that says this can’t be done, and
• We have engineered reliable systems out of unreliable parts
before.
• We have the home-field advantage
• Correct software can be implemented, if we are very careful
97

98. of about 100
I won’t live to see all this happen
• And there will still be plenty of security problems
• You can always fool people somehow
• And every public service can be flooded by the public
(DDoS)
98

99. William Cheswick
Visiting Scholar, U. Penn.
Computer Security: I think we can win!
99