Schneier on Security

Nick P • March 31, 2010 3:24 PM

@ Bruce

As I’ve been ranting on about increased assurance systems, it’s nice to see you mention it. I have to say there are a few counterpoints, though. For one, where your software is written does matter if you’re a government or corporation protecting high value assets. An American working for an American company isn’t inherently better, but they are much less likely to subvert or disclose technology to Chinese firms than, say, a Chinese company or employee. The tremendous amount of espionage and subversion in places like China and Russia refutes your unconditional argument. Unless we use a process like EAL7 (>EXPENSIVE<), we can’t really have our enemies build the software without worrying about what they did to it. So, we must consider location as a risk and deal with it like any other.

On Assurance

Now is the best time to get the assurance going. Several decades of research have shown exactly what it takes: unambiguous requirements written by domain experts; careful attention to risk throughout lifecycle; a specification that corresponds strongly to requirements; implementation that corresponds strongly to specs; much testing/modeling; independent, thorough review. All security-critical (EAL5+) and safety-critical (i.e. DO-178B) software is written like this. These rarely fail. The question is, “Can it be made cost-effective?”

There are some considerations here. For one, we have better tool and language support for this than ever. For instance, Praxis’s Correct by Construction methodology produces software with few enough defects that they warranty it. Cleanroom has been used for years by many companies and accomplishes the same thing without the developer ever even executing his/her code (!). Using some formal methods at requirements/design stages has been shown to catch serious bugs early. Static analysis tools spot trouble spots. Languages/subsets designed for high integrity, such as SPARK Ada or OCaml, would eliminate large classes of errors overnight while being productive & fast. Modern theorem prover tricks, like Coq’s autogenerating Ocaml & seL4’s HOL equivalent of C statements, help in the highest assurance cases with significant cost savings. Finally, all the tools supporting standards like DO-178B, like Perfect Developer & Esterel, make integrating assurance easier than ever.

On Government

You’re absolutely right that the government must lead the way. They must demand assurance and then pay for it. If they don’t, companies won’t build it. Alas, I see problems here. The government demanded Orange Book A1, verified systems for critical assets, then went and bought the equivalents of SELinux and Windows in mass, just buying a few high assurance systems to act as guards. Companies spent millions and then had nothing to show for it, such as Honeywell selling only 35,000 SCOMP systems. So, I think long-standing contractors will have serious reservations about taking such risks again. They know the government will cave in and go for whats cheaper or has more functionality. There is some hope in the recent push for EAL6+ separation kernels: government mandated it, helped develop them, certified them, and spent lots of money buying them. If the government does more of this, we will see a flood of medium assurance products hit the market. Encouraging open-source, med-high assurance would help as well.

Nick P • March 31, 2010 3:39 PM

@ Matt

“the app store model with solid TPM will deal a crippling blow to malware”

I don’t think so. You have to look at the attack vectors and mechanisms. For one, it just moves it to web service providers. I don’t know if you’ve noticed, but most web stacks are much less security-savvy than, say, a Linux or BSD OS. It will reduce the risk of local malware, but all vectors that hit servers, scripts in the documents, poor parsing, etc. will still work. Additionally, the biggest sources of malware today are social engineering over email and drive-by downloads. Since Chrome is still a complex browser and Linux kernel, it only reduces risk: there’s still plenty of ability for botnets to hit. TPM has the ability to neglect this, IF users don’t override it thinking it’s buggy like most DRM. If user’s can’t override it and make dumb decisions, then TPM will have dealt a crippling blow to liberty. Capability-based microkernel OS’s, hardware-assisted virtualization, TPM, signed apps, and at least medium assurance security in core apps is the best combo at best that let’s us reuse much legacy functionality. You can get this from defense contractors for big $$$, but we need an OEM preloading a cheap version of the same thing on all machines for real exposure.

@ John

Yes, it will take engineering. I don’t think seL4 is a good example here, though. Cleanroom and Correct by Construction are engineering approaches that are much more practical and easy to learn as far as “normal” code cutters are concerned. Low level C, modelling said C in HOL, writting HOL proofs, verifying HOL proofs, etc. I just don’t see most people doing that. Besides, although I praise L4.verified’s efforts, they haven’t released the proofs or the code for peer-review. I’ve criticized Heisner and company for this, but all we have is their team’s word. Better examples in this area, due to field use and independent review, are Green Hills INTEGRITY-178B, Aesec’s GEMSOS platform, and Galois’s trusted block access controller for MLS wiki’s. They used formal methods, extensive testing, pentesting by NSA, and have actual products that have been running for a decade in high risk environments (except Galois’s recent BAC). As soon as I get seL4 proofs and validation, I’ll list them as best in class.

Nick P • April 1, 2010 12:09 AM

@ John [on auto-programming]

Automatic programming has been a dream of mine for some time. I spent a year or so heavily wrapped up in AI just to pull it off. I learned about compilers, natural language systems, problem-solving engines, etc. I kept pushing the idea as hard as I could to figure out why we haven’t been able to do it. Here’s my hypothesis for your consideration: it’s not the problem-solving or programming that would be hard, but requirements understanding.

Have you looked into what it takes to understand and solve a simple, common and random problem? There’s a surprising amount of background knowledge, logical/physical/linguistic rules, and domain knowledge to consider. Additionally, a machine that could learn in spite of massive uncertainty and produce rational results is non-trivial. Projects like Novamente have brought it forward a long way, but machines that have “common sense” or even a 3 year old’s intuitive thinking capability still don’t exist. The reason is that there is too much information to program. A general-purpose software generator would require something like a high school student’s understanding of human subjects, plus plenty of domain knowledge in common collegiate & software-related fields.

Even though our brains are the best learning & problem-solving tools known to man, we still take almost two decades to reach the requirements I specified. Even if we create an architecture for an AI like you mention, we will have to train it. Even if we only have to train one, we must get the architecure, knowledge, learning experiences and inference rules right the first time. Each new attempt is a tremendous investment to produce the common sense & background knowledge in the new form. The Common Mind and Cyc systems are supporting evidence for my point: they illustrate this problem exists because some of the best AI researchers are pouring that much effort into it. Just think: hardware; software; architecture/design; training sets; ontologies; tying ambiguous natural language to all of that efficiently; process for concepts to requirements to effective design to efficient code. The last part will be the easiest, as we already have a lot of that. I think automatic programming is a good long-term goal, but I would say producing such an agent will probably require as much effort as the Human Genome Project… for the first good try.

Nick P • April 1, 2010 2:33 PM

@ John

Thanks for your clarifications. Although I don’t think it would have to be a “sentient” being, I agree it would have to be as smart as one. Definitely a long, long, LONG term goal. Maybe it will happen if the government funds more brilliant researchers like the Minsky’s, Hillis’s, and Conway’s of old.

@ Clive on Intel’s processor

This reminds me: POWER7 came out recently. That’s an average of 6-8 cores, 3MB L3 cache per core, 3.5GHz clock speed, RISC instruction set, virtualization and compatible with both servers and mainframes. :0 It also caught my attention because most separation kernel vendors target POWER architecture. I will be looking into getting one of these things in a laptop (read: portable desktop tethered to A/C outlet).

I’ll tell you what I want, though, Clive. Just a POWER, MIPS, ARM or x86 chip built with high assurance techniques. It needs to be energy efficient, small, and have OK performance. I’m tired of worrying about processor, firmware, MMU, VT and cache attacks. Need a decent chip done right without significant flaws. Then, we can build good stuff on top while retaining most legacy compatibility. I found out that Rockwell-Collins offering in this area, AAMP7G, is made for “deeply embedded” use. That explains its 100Mhz clock rate, but I need something a bit faster. Potentially increase the surface area, power consumption or something of that chip to do the job? Think there could be a quick fix for my chip problem there?

Nick P • April 2, 2010 12:47 AM

@ Clive

Perhaps I misphrased it, but my biggest question was whether you think AAMPG7 processor could be easily modified to, say, go faster & support more memory resources. Since I’m not a hardware guy, I’m wondering if a deeply embedded, slow, low power processor can be supercharged simply by increasing its power, chip surface, etc. without major changes to the design. For your review, here’s a PDF covering the processor, its verification & Rockwell Collins development platform. It gives specifics about the chip.

http://www.csl.sri.com/users/shankar/VGC05/Hardin.pdf

Although your architecture enforces POLA at a fine-grained hardware level, we need some good stuff as a stepping stone. A high assurance, POWER-like processor is a nice start. I’m wondering if it would be easy to get this chip to do over 100MHz if I allow watts and parts cost to increase a bit, but without much more development costs.

Nick P • April 3, 2010 11:27 PM

@ Clive

No prob, man. It’s busy for me this Easter, too, in similar ways. I’ll look back here in a few days to see if you’ve posted an answer. And remember, it’s AAMP7 or AAMP7G. Because it’s one the bottom of the “most searched terms” list, one must spell it right to get good results.