Schneier on Security

Clive Robinson • September 15, 2013 3:01 AM

@Stanislav Datskovskiy,

I know that you think RobertT and myself are thinking way beyond what you think is possible or will be done, but history shows that what is deemed impossible today will be an operational weapon tomorow.

Thus it’s sensible to keep a “weather eye” for approaching storm clouds and follow a few basic rules of thought.

One aproaching storm cloud is the Ed Snowden revelations, the simple fact is that people in the security industry have been pointing out that what the NSA are supposadly doing has been possible for twenty years or so one way or another and it would be daft not to consider they are doing so. The general industry concensus was “so what” and “carry on as usuall” ignoring the problem.

That was great for two sets of people, the NSA et all and those who have taken the warnings seriously. Why the latter well it’s in part the “low hanging fruit” principle and in part the old joke about the two men and the tiger where one realises he only has to run that little bit faster than his friend to survive because the tiger will go for the “low hanging fruit” of the slowest man.

The Snowden revelations are going to act as a wake up call for quite a few (but probably not many as a percentage) and they are going to take the time to tie their laces and run that bit harder than the others, which is going to vastly increase that second group, and that’s a real problem.

Why is it a problem, well few people are going to climb a tree for just one or two very good apples when there are hundreds of thousands of perfectly acceptable apples within reach of the ground with a bit of a stretch. But if there are now thousands of very good apples up there then it pays to go and get a ladder or cherry picker crane to get them.

That is that second group that were outside of the NSA general harvesting methods were to small in number to bother with will now grow a thousand fold and as such now sufficient in number to be worth bothering with.

This gives the NSA two choices extend their existing hoovering methods to cover them or directly target on a “personal” basis. The most efficient with anything other than a very small number of select targets is to extend the existing hoovering methods.

I can say this with a degree of certainty because this is what the criminal element on the Internet has done already and as history shows, where criminals lead spys will follow just a foot step or two behind [1].

Right now there are very many “Personaly Identifing Information” handeling organisation executives having conversations with the legal fraternity about liability under verious pieces of legislation. Because yesterdays “best practice” has just in effect become an admission of guilt for not taking due caution and diligence. So they are going to talk to their technical staff and open their cheque books and pay for a whole load of new security product. Much of which will be based on what is current practice in that small second group (with luck it will spike BYOD and external Cloud which could be good news for sysadmins). So it will cause the Feds etc to “go dark” untill they have extended the hoovering or changed the legislation (which appears unlikely in the immediate future).

This guarenteed extension to the hoovering methods means that the small second group have the choice of either notching up their security efforts or getting hoovered up with the rest. So whilst the Snowden revelations are a bright shining light to many for the few they have cast dark storm clouds across the horizon and tempestuous times are ahead.

Thus the use of minority operating systems and permiable air gaps is nolonger sufficient more technical means are required. Some of this will be acheived by better OpSec such as replacing air gap crossing media such as thumb drives with media that is either very cheap to buy and securely destroy to do one off unidirectional use, or can be easily and reliably sanitised such as old school magnetic media like floppies and mag tapes (but not hard drives), all with properly audited and fully traceable media use.

But some will by necesit,y be by hardening systems at a more fundemental level than has been done previously. As a first step by reducing systems to the point of single function not just in the application but in the OS and hardware as well. How far down the hardware stack is currently an open debatable but certainly below CPU level.

As Nick P has noted he and I along with several others have been discussing this for some time in both speciffic areas (financial authentication methods, IMEs, data diodes etc) and more generaly such as computer architecture (see Castles-v-Prisons). We have also along with RobertT looked at just what would be required as a process to “poison the supply chain” at SoC and lower levels and even how to store data in ways that can only be meaningfull to one small part of a chips functionality and thus defeat “flip top” and “embedded” attacks on the silicon.

On the above CPU side of the computing stack we have criticaly looked at faux techniques like “code signing” long before Stuxnet reared it’s head to briefly wake the rest of the industry up. We also looked at ways of subverting PKI.

But in the more distant past we have talked about what you might call TEMPEST or EmSec, not in just the “passive” way but the “active” way as well and importantly the ways you manage it and how they relate to managing complexity.

You make the point about “in a single persons head” this has been discussed before on this blog and it’s been repeatedly pointed out that our computing needs are beyond this “strip back to basics” idea which from one perspective (supposed efficiency) is true. However it’s not the only game in town and it is also an evolutionary culdersac as the likes of Intel have realised [2]. The solution is to manage complexity by divide and concour. That is you have one “function” per computer and strongly controled choke points between them. In this way a single person can hold the design of each striped down computer, switching buss and control buss and hypervisor in their head.

I’ve discussed this in the past as part of Castels-V-Prisons and it follows on from the logical design prrocess of the highest security systems.

Whilst you are considering this think carefully about the purpose an MMU has and what advantages this can give you in a multi CPU+MMU system with common memory BUT where the MMU is not controled by the attached CPU but a security Hypervisor.

[1] The reason for this as history clearly shows contrary to the impression some spy stories may give, in general the Inteligence Services “officers” don’t get involved with the “risk” of actual “spying”. That’s what the expendable MICE driven “agents” and “contractors” are for. The officers mearly act as middle men passing orders down to the operatives and the resulting intel “product” from these “methods and sources” operatives up to the “analysts”. The analysts then do what is in effect “investagative journalism” and produce the refined and sanitised “intel” that gets used by those in government or other Inteligence Service departments/compartments.

[2] As a broad overview the Intel x86 design started when Complex Instruction Set Computers (CISC) became viable due to reductions in transistor size on chips. At that time the opposit aproach of Reduced Instruction Set Computing (RISC) was the vogue for high performance computing which became multi CPU for Cray and IBM. Sun purchased the rights to Cray’s switching techniques and the Sun StarFire series of computers became the way to go until clustering took off. Intel stuck with CISC for quite some time but as problems increased they first switched to an internal Harvard design with seperate data and instruction caches, and eventually even they had to do a wolf in sheeps clothing where by they wrapped a RISC core in CISC clothing. But as we see now even that idea is nolonger cutting the mustard so Intel has gone down the multi core process quite late in the day as the reduction in transistor size and other chip fab techniques have made it viable. More interestingly perhaps is what has happened to Intel’s main rival in core count Advanced RISC Machines (originaly Acorn Computers but spun off). ARMs RISC CPU pops up all over the place and some SOCs have not just multiple ARM cores but multiple computers with each CPU core having it’s own seperate RAM and IO, in what is effectivly “clustering on a chip”.

[]

Clive Robinson • September 15, 2013 4:16 AM

@ Nick P,

Many software errors are removed by giving programmers higher abstractions. However, the safer software platforms keep having trouble at the lower level stuff the language assumptions ignore or which is right at an abstraction boundary. The obvious solution is to raise the hardware’s level of abstraction/operation up to reflect what we’re trying to do with it. Not to mention, it’s better to work on screws with a screwdriver rather than an old hammer

The problems with “obvious solutions” is whilst they might be right in the short term they are often wrong in the long term (as I commented above in my sub 1 Intel fell into this trap a number of times).

I’ve mentioned before the Unix idea of pipelining small special function programs in interpretive shell scripts as being a possability for decreasing hardware complexity whilst also increasing security whilst also increasing code cutter productivity. All of which are desirable outcomes, the downside being that it’s some what slower on any given platform (the reality of which is it usualy does not matter).

In effect you do what Intel did when switching from a CISC to RISC core, you wrap a layer around the core in essence dressing a wolf up to look like a sheep.

This wrap can be hardware, microcode, byte code or executable programes it does not matter. They are all interpreters, they are all less efficient than working at the layer below, however that is irrelavant all that matters is the wrap is secure in it’s own right.

Importantly we know that software bugs are more proportianate to lines of code than they are to the complexit of what each functional instruction has. Thus there are significant “code cutter” advantages to having as higher level of code as possible in terms of both bug minimisation and increased productivity. It also makes code easier to review as well.

So at the highest level you have a machine with what is in effect a striped down interpreter (like the Unix reduced shell) and a file of very high level interpreter code that pipelines data throuch executable code functions but does not have a compiler etc to write the executable code.

The executable code is written not by jobbing code cutters but by experienced secure code developers via formal methods which goes through independant accreditation for both security and formal function. However the addition is another file for the hypervisor that monitors the data paths between functions looking for limits and exceptions to the data formats as well as ensuring data is segregated correctly against function. Thus for instance data taged as an encryption key could not go to any place that was not formaly identified in that file as a port on a function being both capable of and authorised to receiving that data type.

Clive Robinson • September 17, 2013 2:40 AM

@ Figureitout,

–The van can be gray too

Or white 🙂

In the UK we have an expression “White van man” due not just to the vast numbers of white vans, but also in part to some percentage of the drivers of these white vans driving either recklessly, illegaly or out right dangerously. As well as some of them being near grey with dirt sufficient for others to write comments in that critique the van’s driver’s abilities with a somewhat barbed witisism…

Clive Robinson • September 19, 2013 8:41 AM

@ Mike the goat, Figureitout,

Being under the “eye” or suspecting so is very moraly corrosive, look up “long gun fear” it can cause an entire batalion to become ineffective. Or look back to the times of “The Washington Sniper”.

The behaviour people emitt at such times looks, tastes and feels like paranoia but it’s actualy not it’s actually an inbuilt protection system in your acient “monkey brain” to make you run up a tree when things just don’t quite add up. People who are more sensitive to “something odd” in the environment have the makings of “prey that survives to mate” or in modern parlance has the makings of “good situational awarness”. It’s something several thousand years of “soft social living” has been breeding out of humans.

And it can all go wrong through no fault of your own and others.

A friend of mine from years back invested his Army Leaving pension money into a property or two figuring not incorrectly that the financial industry were a bunch of crooks.

One property was in a part of West London close to Wilsden, a not particularly “good area” but improving. It was in a block of flats, but unknown to him and his tennant a number of the other properties had been taken over for a drug growing farm. His “something hinky” alarm was going full tilt and he was certain he wass being followed.

Now when it comes to field craft following people is a real art that few are any good at especialy if they don’t think about a “check tail” who folows on behind a principle to see if people are acting in a way that indicats they may be following the principle. Check tails are almost always impossible to spot if they are even half way good at their job and those that do surveilance know it’s safer to get a “man inside” than it is to follow people around.

So my friend asked me to check his tail, I aranged for him to walk slowly past a well known fast foodd outlet that had seating in the window and sure enough he had three people following him which was odd. So I decided to follow the last one and note where he ended up when my friend ditched the tails on a pre aranged signal. Well the last one on being ditched made a phone call and walked back to a point where he was picked up buy a couple of similar types. The car registration matched onethat was seen parked down the road from the flat quite often.

So a few days later I photographed all the tails to get nice clear face shots and printed them out A4 size and poped them in an envolope along with a few photos of the car and put a pole job up to watch the car. Sure enough about six different people used the car on “turn about” and 8 identified the property they were using which overlooked the block my friends flat was in. So the photos and a pice of paper with “who’s watching the watchers” in it was hand delivered to the property on the next turn about by my friend who then went and sat on a wall on the other side of the road and just waited. It took about half an hour for the crap to hit the fan. Needless to say they were not happy bunnies.

Any way they had another problem, theyed been blown but the other tails were unacounted for… Any way the upshot was a “drugs bust” two days later and all the tails disapeared.

We checked for tails again a couple of times later and did full sweeps with thermal and non linear equipmet of his home and office and did cell checks etc. and they all came up clean. But he has become more cautious and does a lot off basic OpSec field craft now including ditching the car and mobile and paying for a call taking service, and getting proper security in place. Oh and he gets on well with the local police as well they say hello and smile and he smiles back and is on first name terms with some of the more experianced ones

Is he now paranoid, not realy just more cautious and it’s payed off as the improved security has stopped a couple of break ins before much damage ws done and nothing got stolen and his tennants like the extra security as it makes them feel safer oh and his insurance costs are quite a bit lower as a result. Oh and he’s a lot fitter as well ditching the car in favour of a push bike gets him around faster as well as no more parking tickets or “congestion charge”.