View
218
Download
3
Embed Size (px)
Citation preview
TrustCS 239
Advanced Topics in Computer SecurityBernie Perez
Vahab Pournaghshband
November 9th, 2010
Trust (social sciences) is:- willingness of trustor to be vulnerable to the actions of the trustee;- confidence that the trustee will behave as expected;- risk to the trustor if the trustee will not behave;- trustor has no control over trustee’s actions.
What is trust in computer terms?
• Trusted Devices• Trusted OSes• Trusted Applications/Code• Trusted People• Trusted Data• Discrete vs. Continuous• Static vs. Dynamic• Policy-based vs. Reputation-based
• Trusted Devices• Trusted OSes• Trusted Applications/Code• Trusted People• Trusted Data• Discrete vs. Continuous• Static vs. Dynamic• Policy-based vs. Reputation-based
All covered in the 40-page paper we posted
… sorry
The Ken Thompson Hack
Unix OS Code Snippet
bool login(un,pw) {
// KT Hack Step 1if (un == "KThompson") return True;
if (lookupPW(un)==pw) return True;else return False;}
Unix OS Code Snippet
bool login(un,pw) {
// KT Hack Step 1if (un == "KThompson") return True;
if (lookupPW(un)==pw) return True;else return False;}
Easy to spot
Ah Ha!
UNIX is complied with a C compiler
I'll put the hack into the compiler
C Compiler Code Snippet
void compile(code) {
// KT Hack Step 2if (isUNIXLoginCode(code)) generateLoginBackdoor(code);else compileNormally(code);}
Good Hack!
C Compiler Code Snippet
void compile(code) {
// KT Hack Step 2if (isUNIXLoginCode(code)) generateLoginBackdoor(code);else compileNormally(code);}
Easy to spotBut same problem
Good to GREAT!
"Chicken and Egg" Problems
The C compiler is written in C
C Compiler Code Snippet
void compile(code) {
// KT Hack Step 3if (isUNIXLoginCode(code)) generateLoginBackdoor(code);elseif (isCompilerCode(code)) generateCompilerBackdoor(code);else compileNormally(code);}
C Compiler Code Snippet
void compile(code) {
// KT Hack Step 3if (isUNIXLoginCode(code)) generateLoginBackdoor(code);elseif (isCompilerCode(code)) generateCompilerBackdoor(code);else compileNormally(code);}
C Compilerw/ Hacked Binary
C Compiler Code Snippet
void compile(code) { // Move along, // nothing to see here. compileNormally(code);}
C Compiler Code
void compile(code) { // Move along, // nothing to see here. compileNormally(code);}
C Compilerw/ Hacked Binary
Unix OS Code
bool login(un,pw) {
if (lookupPW(un)==pw) return True;else return False;}
C Compiler Code
void compile(code) { // Move along, // nothing to see here. compileNormally(code);}
C Compilerw/ Hacked Binary
C Compiler Binary
void compile(code) {
// KT Hack Step 3if (isUNIXLoginCode(code)) generateLoginBackdoor(code);elseif (isCompilerCode(code)) generateCompilerBackdoor(code);else compileNormally(code);}
Unix OS Binary
bool login(un,pw) {
// KT Hack Step 1if (un == "KThompson") return True;
if (lookupPW(un)==pw) return True;else return False;}
Unix OS Code
bool login(un,pw) {
if (lookupPW(un)==pw) return True;else return False;}
Moral:
"You can't trust code that you did not totally create yourself"
Moral:
"You can't trust code that you did not totally create yourself"
Any program-handling program:• Assemblers• Loaders• Hardware Controllers
Completely malicious violation of people's trust
G-Archiver
What can we do to Trust code?
Trust Models
Trust based on different types of rationales
Liability
Reputation
Strong Interest
Weak Interest
Proven In Use
Directive
Idealism
Blind
Producer
Producer
Producer
Producer
Acquirer
Acquirer
Acquirer
Trust along the supply chain
Directive
Reputation Liability
Proven In Use
Tamper-Proof Delivery Source authenticity - Came from the correct supplier
Integrity - Artifact unchanged from supplier
Certificates?
XBox.com Login XBox Certificate
XBox.com Login XBox Certificate
Technically complex for end-users
Managing multiple certificates, keys, certificate expirations, and their revocation lists
Technically complex for end-users
How do you get the certificates?
Trust Management and PKI
• was first coined by Blaze et. al 1996• a coherent framework for the study of
– Security policies– Security credentials – Trust relationships
Trust Management
Trust Management
Policy-Based Trust
Systems
Reputation-Based Trust
Systems
Trust Management
• Example: PolicyMaker • Peers use credential verification to establish a trust relationship• Unilateral, only the resource-owner request to establish trust
Policy-Based Trust
Systems
Reputation-Based Trust
Systems
Trust Management
Policy-Based Trust
Systems
Reputation-Based Trust
Systems
• Example: P2PRep, …• Based on measuring Reputation• Evaluate the trust in the peer and the trust in the reliability of the resource
Genealogy of TM ModelsGenealogy of TM ModelsAT&T Labs-Policy Maker (1996)KeyNote(1998)
Abdul-Rahman & Hailes (2000)
Aberer & Despotovic (2001)
EigenTrust (2003)
CONFIDANT (2002)
SECURE (2003)
UCL- hTRUST (2004)McNamara et al. (2006) STRUDEL (2006)MATE (2006)
Donato et al. (2007)
Chun & Bavier(2004)
Bhargav et al.(2007)
PolicyMakerPolicyMaker
• DB query engine for the application• Advice rather than policy enforcement
yes/no or additional requirements for request to be acceptable
PolicyMakerApplicationINPUT
Local policies, authenticated credentials, action string
OUTPUT
Source ASSERTS AuthorityStruct WHERE Filter
PolicyMaker: AssertionsPolicyMaker: Assertions
policy ASSERTS pgp:“OxO1234567abcdeafOblc2d3e45fa6b7” WHERE PREDICATE=regexp:”Organization: Bob Labs”;
pgp:”OxOl234567abcdefaOblc2d3e4f5a6b7” ASSERTS pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” WHERE PREDICATE=regexp:”From: Alice”;
key1, key2,..., keyn REQUESTS ActionString
PolicyMaker: RequestsPolicyMaker: Requests
pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” REQUESTS
“From: Alice Organization: Bob Labs”;
pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” REQUESTS
“From: Alice Organization: Matt Labs”;
pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” REQUESTS
“From: John Organization: Bob Labs”;
PKI Trust ManagementPKI Trust Management Digital Signatures
◌ Private key signs, public key verifies But, are we using the “right” public key?
◌ Key verification problem
Subordinated HierarchySubordinated Hierarchy
Cross-Certified MeshCross-Certified Mesh
HybridHybrid
Bridge CABridge CA
Review
• Defined Trust• Example mis-trust in applications• Software Trust Models• Trust Management• PKI Trust Models
Questions?
Discussion…