Transcript Security Architectures, POLA and Capabilities

Architecture Choices for Security - 2007
Is Functionality with Security an option?
Kenneth Hamer-Hodges
http://www.SIPantic.net/SIPantic
Agenda
•
The Problems with Security Practice Today
− The Unacceptable Choice
•
An Alternative Architecture
− Implementing Need to Know
•
Demonstrations
Inviting “Satan to Dinner”
− How to Dine with the Devil
− No choice between safety or functionality
•
Some Thoughts on the Future
− How soon can we start?
7/17/2015
2
Computer Security is Broken
•
XP, Vista, Mac, SELinux, RedHat….
− Access Control List Architectures
•
Consider
− Web Browsers, Compound Documents
• Each plug-in needs specific authorities
• But NOT authority outside its contained areas
− None need the authority
• To launch Trojan horses
• Read and sell confidential data
•
A Dark Side is also at work
7/17/2015
3
Ambient Authority Problem
•
•http://news.com.com/Expert+IT+industry+has+failed+in+d
ACL Grants Authority
esktop+security/2100-1002_3-6185295.html
− Desktop programs can do
everything a User can do
− Even bad things
•
Some Data Points
− Monthly security patches
− By design Browsers run
unknown code
− Millions of lines of OS
code
• Thousand of OS defects
− 2/3rds of PCs infected in
some way
•
7/17/2015
http://www.mg.co.za/articlePage.aspx?articleid=299541&
area=/insight/insight_tech/
4
Computer Security 1965 - 2007
•
History from Multics to Unix, to
Windows to Mac OS …
− No graded security
− Still ‘privileged modes’
− Once ‘Hacked’ everything is
threatened
•
Everything depends upon
−
−
−
−
−
Firewalls and Anti-Virus
Access Control Lists
Pop-up requests
Certificates
Expected to protect but actually
enabling threats
7/17/2015
The Evolving Malware Threat:
Guarding Against Criminal Malware
Roger A. Grimes, InfoWorld security
columnist/Microsoft Sr. Computer
Consultant - June 26, 2007
5
Firewalls and Anti-Virus
•
Perimeter security systems
− May be applied to one or more
computers
•
Cannot discriminate internal trust
− Between applications
•
Once Infections breach the
wall
− All the assets within are
damaged goods
•
Only block expected attacks
− No “Zero-Day” security
− Detection rate ~80%
7/17/2015
6
Access Control Lists
•
Identity Based Access Control
− The abstraction of ID Cards
•
Limitations
− No Trust Discrimination by domain
− Hard to Change & Role Explosion
− Open to embedded viruses
•
•
Why not?
Run application in private space
− Polaris demonstration (Later)
• Far too complex for typical users
7/17/2015
Security Assertion Markup
Language (SAML)
At the heart of most SAML assertions is a
subject (a principal – an entity that can be
authenticated – within the context of a
particular security domain) about which
something is being asserted.
7
The Pop Up
•
Stop and give me your
valuables
− Give up and Punt Security
− Let the User take the Hit
•
Antithesis of Usability
− Abdication of security
responsibility
•
Uniformed choice
− Just Say No - or
− Sooner or Later you
get infected
7/17/2015
8
Certificates
•
Authenticates the authors
− A false sense of security
•
Even Satan can sign
− Embed a Virus in a DLL
− Proof it came from Satan is
not proof that it is safe
•
Exploit bugs in Certified
code
− Load a poorly written but
signed driver then exploit it!
•
The result is the same
− Regardless of who, how &
why?
7/17/2015
Should you run downloaded
software .. A digital signature
identifies the publisher of the
software and verifies that the
software has not been tampered
with since it was signed.
[BUT WITH OR] Without a valid
digital signature, you have no way
to verify that the software is what
it claims to be.
9
Blue Pill (Joanna Rutkowska)
•
Links
− Subverting Vista Kernel For
Fun And Profit,
• J Rutkowska, Black Hat USA
2006
− Hardware Virtualization Based
rootkits,
• Dino Dai Zovi, Black Hat USA
2006
− Blue Pill Detection,
• Edgar Barbosa, SyScan 2007
− Compatibility is Not
Transparency: VMM Detection
Myths and Realities,
• Tal Garfinkel et al., HotOS 2007
− Blue Pill Detection In Two Easy
Steps,
• Keith Adams
− IsGameOver.ppt
• Rutkowska & Tereshkin, Black
Hat USA 2007
7/17/2015
10
The Result
Some Very Powerful Programs
•
Any program (including all of these) can
− Watch what I do
− Access or delete my files and
− Search/use my email
7/17/2015
11
The Unacceptable Choice!
•
Either Functionality
− Run as Administrator
− Exposure all the time
− Depend upon Firewall &
AV
− Open items at your risk
− PC grinds to a Halt
7/17/2015
•
Or Security
− Multiple Login and
Passwords
− Dysfunctional Browsing
− Deny Pop-Ups
− Ignore Certificates
− Work still Grinds to a Halt
12
Site Password Tool
•
You have accounts at many sites
− One password for all sites or different for each?
•
Site Password
− A different password for each site
• A hard password in the first field
• An easy name for the site
• The tool computes a complex password for that site
•
Thanks to Alan Karp et al at HP Labs
•
•
•
•
7/17/2015
Technical Report
Python version
Windows executable
The source for the Windows
13
Check Point Summary
•
Well behaved programs are “Tooth Fairies”
− They don't exist
•
Few need authority to
− Access all files
− Install Trojan horses and
•
Should never be given such authority
− Allows only the authorities needed
• Write access to one or a few needed files
• Render impotent Trojan horse or Virus
7/17/2015
14
The Need to Know Rule
•
Principle Of Least Privilege/Authority
•
Depend Upon Capabilities
− The un-forgeable, transferable right to
communicate with an object
•
No Privileged Modes
− Modularity is uniformly clear and enforced
•
Dynamic Messaging with Run-time Guards
− Deadlock Avoidance since binding can be cut by
the system
7/17/2015
15
MAC and JSM
•
Mandatory Access Control
− Oblivious Compliance
• A right cannot be transferred if the transfer
violates some external policy
− Centralized Policy Control
• 20th century “imperial ACL-think”
•
Java Security Manager
− Closest to being useful
• Some powerful authorities selectively managed
• Can place modules inside trust realms
− With a few lines of code
• Control the browser's user interface
− Spoof the user (again and again)
7/17/2015
16
A Change In Thinking
http://wiki.squeak.org/squeak/3770
•
Stop asking “Who are you?”
− Session based by Login rights
•
Start asking “Is this authorized?”
− Action related to Interface (Facets)
•
Build Trust Relationships
− Capabilities are Interfaces Protected by Contracts
− A facet can access a subset of the authorities of a powerful
object
− Base Policy controls only on Needs
− Get more Functionality with better Security
7/17/2015
17
Capability Security
•
Defense-in-depth
− Locks and Keys in the abstract
− Natural and intuitive for POLA
− Works in Networks for Distributed Systems
− Proven commercially [Plessey Multiprocessor]
•
With the single act of Designation
System 250
− A mouse Click or Pass by Reference PlesseyC1972
− Convey the (needed) object(s)
− Grant the limited (necessary) authority
•
Revocation is in Real Time
− By changing the lock, cutting the link
− Revokers only hold power to revoke an authority
7/17/2015
18
Capability PP-250 & E
•
E Lang - Networked Capability to <Counter ++1>
− captp://*[email protected]
68.2.34:2188/2xaukqqehpuktvjmhaox22rfgfyqwgys
7/17/2015
19
Further Research Links
•
Early Publications
− Jack B. Dennis, Earl C. Van Horn, Programming Semantics For
Multiprogrammed Computations (1966)
− Hamer-Hodges, "A Fault-Tolerant Multiprocessor Design for
Real-time Control" Computer Design, Dec. 1973, pp. 75-81.
•
Easy to Find Links
− Stiegler, “E in a Walnut,”
http://www.skyhunter.com/marcs/ewalnut.html
− Mark Miller, Chip Morningstar, Bill Frantz, “Capability-based
Financial Instruments,” Proceedings of Financial Cryptography
2000, http://www.erights.org/elib/capability/ode/index.html
− Jonathan Rees, "A Security Kernel Based on the LambdaCalculus", (MIT, Cambridge, MA, 1996) MIT AI Memo No. 1564.
http://mumble.net/jar/pubs/secureos/.
− J. S. Shapiro, S. Weber; “Verifying the EROS Confinement
Mechanism,” Proceedings of the 2000 IEEE Symposium on
Security and Privacy. http://www.erosos.org/papers/oakland2000.ps
7/17/2015
20
Functionality from Security!
•
IBAC relates to roles
− Users subscribe to services
• Needs to know all users
and what each can do
• Must be updated every
time a user changes
− Scalability is a problem
• Too Many clients
− Password Problems!
− Client changes become
Server problems!
•
ABAC relates to contracts
− Service sells capabilities
• As access to a contract
• Clients manage them
− Distribute by roles
• A set of capabilities for each
contract
− Includes a way to revoke
− No Password needed!
− Client Changes are correctly
the Client problem!
Authorization-Based
Access Control for
the Services Oriented
Architecture Alan H.
Karp, HP Laboratories
Palo Alto
7/17/2015
21
CapBox Demos
•
Polaris
− Give each program only the permissions it needs
− Polaris changes the way programs are launched
− Invite Satan to dinner
•
E Language
− A quick peek at distributed objects
•
CapDesk, PowerBox and the Darpa Browser
− Capability based DeskTop Application Launching
− Rendering is capability confined
• Including the field to display the URL
7/17/2015
22
Polaris - Beta 1.0
•
Principle of Least Authority for Real Internet Security
− Polaris – HP Labs
• Alan Karp et al
− Protects from viruses
• From opening email attachments
• Macro viruses contained
in files you use
• Trial Programs you launch
• Scripts on web pages you
visit
• Email images you view
http://web.hpl.hp.com/personal/akarp
7/17/2015
23
Polaris Confinement
•
By adhering to POLA
− Polaris reduces
vulnerability
•
Any Application can be
− Polarized as a Pet
− Each Pet starts with
• An almost empty
− Desktop
− My Documents
• A Set Up endowment
• The File that was clicked
A program launch - Run-As “POLAxxxyyyzzz”
With minimum authorities
Only those needed to run
− A virus in this program
• Is Confined
• Can do limited damage
7/17/2015
24
Satan’s Excel Macro Demo
•
Run powercmd if not already running
OpenSafe or Double click on files with xls and
•
To read their libraries, fonts, etc.
•
− This keeps a copy (for POLAexcel) and the original
synchronized
− Powercmd then starts Excel running as if it were launched
by the user polass7sAaJDp708
− Pet accounts have an installation endowment
− The permissions they get every time they start
− The endowment includes permission to READ
• c:\Program Files and c:\Windows directories
• Read and WRITE permission to the PET folders
•
Malicious code even from Satan himself can only
− Read the files in its installation endowment
− Read names of directory and files (XP feature)
− Write to the files opened with the Pet
7/17/2015
25
POLA IE, Email and Outlook
•
Outlook
− PolarisLaunch button
− Also on each email
•
For the type of attachment
− Polaris will use that Pet or
− Launch in an IceBox
• Typically a browser no address
bar to exploit
• Not all work this way
•
Otherwise
− Save to disk, open from there
• First Virus scan the file
− Note
• Won't protect against ZeroDay or unrecognized virus
7/17/2015
26
Polaris Summary
•
More functionality
•
− Safely ignore macros
•
More Useable
− Not bothered with security
dialog boxes
•
More security
Runs on XP
− Does not depend upon
Capabilities
•
Satan’s Macro
− Enabled but confined
− The PC does not get
infected
− Viruses do not hurt
•
All because
− POLA for individual
applications Pets
− Pets have limited rights
− Only edit the file clicked
7/17/2015
27
E Programming Platform
•
Support capability
security
http://www.erights.org/
− Local and distributed
contexts
− Open source system
− E programming language
•
Robust
− Operational software has
been deployed
− DarpaBrowser project
− Still a work in progress
− Not yet feature complete
7/17/2015
When programming in E, you are automatically
working in a capability secure environment. All
references are secure references. All powers are
accessible only through capabilities. Making an E
program secure is largely a matter of thinking
about the architecture before you code, and doing
a security audit after you code.
28
E and CapDesk
•
Capability secure distributed
file management
•
Fine-grain grants of authority
•
Easy file service configuration
•
Ad-hoc virtual private
networking
•
Minimal-Authority applicationlaunching environment
•
Integration of usability,
security, and functionality
•
Invulnerability to over-thenetwork attack
7/17/2015
Point-and-click
Capability-confined launch
Applications/Web
Browser
Negotiates endowments
Authority granted on
launch
Prevent window forgery
29
E Language Demo
•
Capability-based security
•
Encrypted Communication
•
Deadlock avoidance
•
Promise pipelines
•
Alice pays Bob $10
− Only a currency mint can
violate that currency
− The mint can only inflate
its own currency
− No one can affect a purse
balance they don't own
− Two purses of a currency
can transfer money
− Balances are always nonnegative
− Rely on reported deposits
if one trusts the purse
− Rights Amplification
E-on-Java Download Page - licensed under Mozilla or Mozilla compatible open source license.
E on Common Lisp - Kevin Reid's implementation of E on Common Lisp.
7/17/2015
30
Distributed Capability Demo
•
•
Distributed Counter Access
VatB
− Bob
•
VatA
− Alice &
Carol
7/17/2015
?? in new vat VatB
? introducer.onTheAir()
? def uri := <file:counter.cap>.getText()
? def sr := introducer.sturdyFromURI(uri)
? def remote := sr.getRcvr()
? remote.incr()
?? in new vat VatA
? introducer.onTheAir()
? var x := 0
? def counter {
to incr() :any {
x += 1
x} }
? counter.incr()
?x
? def sr := makeSturdyRef.temp(counter)
? def uri := introducer.sturdyToURI(sr)
? <file:counter.cap>.setText(uri)
31
Capability Security Demo
•
Alice Pays Bob $10.00
buy
mint
$0
$10
name
sealer
unsealer
7/17/2015
$100
$90
$200
$210
32
CapBox Architecture
•
CapDesk/DarpaBrowser
− Use Capabilities
− A manager on behalf of a
confined application
• Granting authority
• Revocation
− Launches an app
• Conveys the endowed
authorities
• Negotiates authorities
during execution
− For the application
− With the user
− For revocation
7/17/2015
33
Capability Delegation
I say:
myLawyer.myDeath(myReadOnlyWill)
•
Communication only by messages on references
− Reference graph == Access graph
•
Connectivity leads to Security
def makeReadOnlyFile(fullPowerFile) {
def readOnlyFile {
to getBytes() { return fullPowerFile.getBytes() }
}
return readOnlyFile
}
The Confused Deputy Solved
•
Access Secure
Abstractions
•
All Classes are also
gatekeepers
•
Use normal behaviour to
control security policy
•
Further limits actual
authority
•
Leads to POLA by
degrees
7/17/2015
Full Trust 2nd
Party
Un-trusted 2nd
Party
2nd & 3rd Party
Isolated
Perimeter
Security
Confinement
2nd & 3rd Party
Connected
Confused
Deputy
Communicating
Conspirators
35
POLA Rules for Granma
•
Just say no when an Application
− Asks for additional different authorities
− Asks to read or edit anything more than a
Desktop folder
− Asks for edit authority on other stuff
− Asks for read authority on odd stuff, with a
connection to the Web
•
If an Application Install..
− Proposes a name or an icon
• Give it a new name and new icon and a new folder path
− Asks for Web access, beyond 1 or 2 specific sites
• Always say No unless it is a trusted Web browser
http://www.combex.com/papers/darpa-report/DarpaBrowserFinalReport.doc
7/17/2015
36
What of the Future?
•
Object Oriented Programs
− More implementations that support good
software modularity
•
Principle Of Least Authority (POLA)
− PowerBox tools based on “Need to Know”
•
Capabilities
− Languages with embedded guarantees for POLA
access to Networked Objects
•
CapBox Security
− Where only “a knowledge of, gives some right of
use"
7/17/2015
37
Object Capability Time Line
•
196x:
• Dennis & Van Horn - MIT - PDP-1 Supervisor, Bob Fabry - Magic
Number Machine - U of Chicago, Hamer-Hodges, England et al System
250 - Plessey Corporation, Simula Dahl, Myhrhaug and Nygaard at the
Norwegian Computing Center, Oslo
•
197x:
• Roger Needham, M Wilkes CAP - Cambridge University, Bill Wolf Hydra
Carnegie Mellon, Butler Lampson Sturgis – CAL-TSS, RATS & NLTSS Lawrence Livermore, Actors MIT, PSOS SRI, StarOS Carnegie Mellon,
GNOSIS/KeyKOS – Tymshare, System/38 – IBM
•
198x:
• Smalltalk Alan Kay et al at Xerox PARC, Objective-C Brad Cox and Tom
Love at Stepstone, Steve Jobs NeXT machine, Bjarne Stroustrop in his
development of C++, Amoeba - Free University Amsterdam, iAPX 432
- Intel
•
199x:
• EROS and E - Jonathan Ree's thesis on W7, J-Kernel
•
200x:
• CapDesk, PowerBox, DarpaBrowser, Polaris
7/17/2015
38
Finally…?
From DeskTop to CapBox
From Web Explores to CapBrowsers
CapDesk will Polarize the DeskTop <- Pola-Vista
Google is developing Capability Based Network
Browsing
Unquestionably more to come on both ObjectCapabilities and POLA