Schneier on Security

Nick P • February 6, 2015 9:28 PM

@ sena

Minix 3 because it’s getting more development than Hurd. Monolithic would be FreeBSD (features), OpenBSD (code quality), or NetBSD (easy kernel changes).

Nick P • February 6, 2015 11:09 PM

@ Wael

One of the early opinion pieces I remember on the topic was a guy from the NSA suggesting we should put trackers on anyone arrested for a crime. The crooks would have tracking devices following their location and future tech might even track their emotional state. The cost would be covered by the wearers (“subscribers”).

Today, we do track criminals with devices and expansive law enforcement power would mean this might also be a way to track more of general population. He was closer to the mark than most speculating.

Nick P • February 7, 2015 5:05 PM

re homebrew systems

This page has the description, software source, and hardware source of a modern Oberon system port. There’s also a Windows emulator. People coding non-Oberon systems might find the description and source code for Oberon routines useful for more quickly making their systems usable. Of course, porting the Oberon System to the new hardware is the ideal bootstrap route.

Nick P • February 7, 2015 11:55 PM

Actually, the magic cocktail is Guiness beer and refried beans.

Nick P • February 8, 2015 12:21 AM

re “Nick P”‘s Guinness and refried beans

Good to know the fake doesn’t have me under surveillance. I surely wouldn’t torture my date’s nostrils like that.

Nick P • February 8, 2015 11:05 AM

@ Clive Robinson

That’s interesting. Now the Feds can defeat RP2-based security schemes by executing a search warrant and taking pictures with enhanced cameras. 😉 The guy who discovered it changed his signature to “Discoverer of the PI2 XENON DEATH FLASH !” Haha.

@ sena

re prison

The components would likely be equivalent to the standard libaries of most languages. On top of that, people would contribute components to solve various problems in sites like SourceForge or CPAN. The components would likely be written by people of various skill levels. This means the probable implementation of Clive’s model would need two programming languages: a highly productive and safe scripting language for average developer; a safer systems language amenable to strong verification for the native components. Optionally, metaprogramming like in Racket Scheme for ease of integration and auto-generating/optimizing code for various targets.

re distro

Probably Ubuntu and Mint because they’re the most usable desktop experience in Linux. Usable plus reliable and plenty hardware support. The trouble I’ve gone through in some distros for wireless is a good example of how far ahead Canonical is.

Nick P • February 8, 2015 3:43 PM

High Assurance News: Update on my recent reading
(Focus is on NICTA and ETH in this one.)

From NICTA:

Building high assurance secure applications using security patterns for capability-based platforms
http://ssrg.nicta.com.au/images/pdf.gif

Towards a verified component platform (applies above)
http://www.nicta.com.au/pub?doc=7281

Termite: Automatic synthesis of device drivers
ssrg.nicta.com.au/projects/TS/drivers/synthesis/

Note: I’ve posted original Termite paper before. They’ve revamped it (Termite-2) into human guided synthesis with software available online. In “Publications,” see the paper “User-guided device driver synthesis.”

AutoCorres: Automatic specification abstraction [from C source code]
http://ssrg.nicta.com.au/projects/TS/autocorres/

Note: Based on tech used in seL4 verification that went down to C code. The source of the tool is BSD licensed.

Trustworthy File Systems
http://ssrg.nicta.com.au/projects/TS/filesystems.pml

Note: Source isn’t available yet as it’s probably in design phase. Meanwhile, we can just use clustered file systems with trusted front end components that make the file systems untrusted. These components usually include encryption, integrity protection, and splitting across nodes.

From ETH Zurich:

ARPKI: Attack Resilient Public-Key Infrastructure
http://www.netsec.ethz.ch/research/ccsfp200s-cremersA.pdf

Note: Distributed PKI with strong security properties in presence of compromised nodes and deterrence effect by making malice obvious. Haven’t read it yet but the concept is awesome. Abstract description reminds me of my multinational, distributed SCM security scheme.

Secure Remote Execution of Sequential Computations
http://www.syssec.ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/system-security-group-dam/research/secure_verification/Execution.pdf

Pay as you Browse: Microcomputations as Micropayments in Web-based Services
http://www.syssec.ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/system-security-group-dam/research/secure_verification/www-karame.pdf

Note: Interesting alternative to advertising. Many Web users’ PC’s have a surplus of spare CPU cycles that cost them nothing extra to use. Using them as payment is clever and might be viable. Further, if more automation is used in development, this might be useful for the build systems of open source software: each view of the page contributing a static check, unit test, code gen for specific ISA, and so on.

ETH’s Network Security Group Publications List
http://www.netsec.ethz.ch/research/publications

Note: So much interesting and potentially useful stuff on one page I might as well let you decide yourself on what you want.

Conclusion: NICTA and ETH Zurich are doing great work with plenty of practical value. Best wishes to their teams on current and future work. Hope good stuff gets adopted.

Nick P • February 8, 2015 11:46 PM

@ Skeptical
(from the real Nick P)

“Obviously I lack all technical expertise, but from a position of great ignorance, I must ask ”

“but to the extent it relies appropriately on Xen for much of the work of isolation, it would be relying on something that must receive a fair amount of ongoing testing, no?”

I think you’re a tad more technically proficient than you let on. 😉 Good catch on a flaw in my hasty post. The Xen isolation component does receive a lot of attention. That increases the review aspect for that component. Then, there’s their own components which are sometimes privileged (bypass isolation property). These still need more review. One other issue is that (I think) you can’t run Qubes on the variety of processor architectures and hardware that you can run BSD/Linux on. This negates a useful obfuscation whereby you use hardware nobody, even pro’s throwing a wide net, are targeting. Not to mention diverse suppliers to counter subversion. I got plenty of mileage out of those tricks in the past.

” I have enough trouble with Windows XP (darn thing refuses to update, and I may revert to Windows ME, an OS in keeping with a security principle I’ve dubbed “security by frustration”, i.e. any uninvited guest deals with the same unworkable system that I do) so I wouldn’t consider anything else”

That’s hilarious. Same strategy as military’s nuclear C&C computers, too. Windows ME was Microsoft’s greatest achievement in user frustration until Windows Vista. That you’re using WinXP is a problem: it’s pretty much EOL and unsupported far as security is concerned. The best option for you is Windows 7: the security and functional enhancements of Vista with only 300-400MB of RAM. IIRC, WinXP typically uses around 300 background. So, Win7 with unneeded stuff turned off, appearance set to vanilla windows (no Aero BS), and so on is quite efficient. Way more secure than WinXP and around $80 on eBay. Apply a hardening guide or two after you install it along with Firefox + NoScript and/or Firefox + Sandboxie. Do backups, etc.

“I’m a little mystified as to why the use of virtualization would necessarily imply better security than a monolithic kernel. In principle it seems as though either could achieve, or fail to achieve, separation of certain defined domains from one another. ”

They absolutely can. The problem is that OS’s have a ton of complex code running in kernel mode doing all kinds of things, including separation of user-mode processes. A flaw in any of that can compromise the whole system due to unrestricted memory and CPU access of kernel mode. OS’s architected better largely faded in market due to incompatibility with legacy stuff, less performance, less eye candy, and so on.

A compromise was wrapping a legacy OS in a container running on a much simpler [in theory] piece of software (i.e. hypervisor). The OS is less privileged or deprivileged. Any software using the OS interface can run on it, maintaining prior investment. The hypervisor might abstract away the hardware while providing guests functions to call to emulate hardware operations. This allows the hypervisor to mediate access to resources along with multiplex them among many simulated machines that all think they’re the real thing. So, long story short, a hypervisor like Xen at 50,000 lines of code is much easier to assure than a kernel like Linux at 100,000-1mil+ lines of code. Provides benefits outside of security, too. Icing on the cake.

“Perhaps in more practical terms, though, the relative simplicity of a type 1 hypervisor (or whatever those things are called) allows easier verification of that achievement, or failure, than a monolithic kernel? ”

I should’ve read your whole post before I wrote the reply. You figured out a huge chunk on your own it seems.

“It occurs to me that one of the neat things about “air-gapping” is how easy (seemingly) it is to verify. Mark-1 eyeball, leaving aside certain things that might require an additional tool or spec or two. Even including those complications, it sounds like something even someone like me could accomplish if given a few directions.”

Somewhat. Against malware, I’d say it’s pretty true. Targeted attacks by people with resources still need expertise. The trick is that data is likely to be shared somehow. That’s where the attack and/or specialist techniques come in. I swore I had an essay or two here on air gapping yet I can’t find it. Really weird. If I do, I’ll link to it in a future comment.

” It sounds like an oxymoron to me of course, but I’ve heard that various folks have an interest in it, and given the name, I wondered whether it might not be at least tangentially related to this issue.”

Never heard of it. There are plenty of tech and research centered on mutually distrusting parties trying to work together on something. Most computing relies on overpriveleged, black boxes at many layers of the system.

“wouldn’t certain Red Hat flavours offer equal if not greater reliability and desktop experience? ”

The “enterprise” distribution aims at high reliability. The Fedora desktop distribution aims to be cutting edge. That counters reliability a bit. The most important metric is “easy enough to use that you will keep using it.” Fedora falls behind a bit there, I’ve heard SUSE does a bit better on that, and Ubuntu-based distros lead in that category. Your Mint comment is strange because it’s designed to look a lot like Windows: a “Menu” button in bottom left simulating Start menu, quick launch icons to the right of it, tabs of running apps to the right of that, and far right is app + configuration icons like in Windows. Some Linux lovers dodge it for this reason. Ubuntu seems to have a bit better performance and quality, though.

Nick P • February 9, 2015 11:12 AM

@ Clive Robinson

That’s actually a good counterexample. I should amend my subversion-resistant development process to include domain experts where esoteric stuff like cryptography is used.

@ Thoth

re C v P

Clive came up with the metaphor. I hate it. It’s only semi-accurate and makes one put a lot of energy into the metaphor rather than systems. The conversation was really about comparing my design approach to his. Mine focused on prevention, his monitoring and detection. Here’s simplified versions of the actual design to illustrate.

My original method corresponded to EAL6-7. You capture requirements, create a matching design, a corresponding implementation, bake security into all that, testing, covert channel analysis and so on. You do this to the TCB in a way that establishes security properties for the rest of the software. This might mean memory safety, control flow safety, prevent leaks of secrets, isolation of malicious code, and so on. System as a whole is decomposed into easy to analyze modules with a security policy. By design and implementation choices, the security failure should be low probability and hopefully impossible in practice.

Clive’s design is more complex to describe. He envisions a CPU with hundreds of little execution cores with MMU’s controlled by a hypervisor. The hypervisor determines what memory or I/O the core can access. The system (apps and OS) is broken into very small functions, each function’s execution properties are profiled, each function executes on a tiny core with POLA, and misbehaving functions register an exception. He also recommended that apps be scripted combinations of individual functions that were written by experts.

The reason the metaphor sucks is that it would mislead you. Failures include that my model doesn’t treat everyone equally (eg capabilities), will put processes in cells (eg segments), and has the equivalent of Prison’s warden in exception handling by apps and admins. The metaphor takes pages to fail to describe approaches I summed up in two paragraphs. So, best to think of the real things while using C v P as a reference to them: C is prevention by high assurance TCB; P is monitoring and mitigation at the function level via execution signatures. I critiqued it as impractical here.

Meanwhile, research into prevention, detection, and combinations moves on. Researchers aren’t building whole high assurance systems [mostly]. The focus isn’t on monitoring the behavior of functions. The best research in both sides focuses on modifying or extending processors. Prevention might enforce controls per type, key, or ACL over a number of properties. Detection systems architect things to raise an exception when unusual behavior occurs based on simple criteria (eg an unusual source & destination on a jump). The better of these methods enforce a great many protections in the system while not slowing it down much and being easy to implement. As Clive predicted, the future would have pieces of both models. Fortunately, the new stuff is also easier on developers than both. 😉

Nick P • February 10, 2015 12:43 PM

@ Clive Robinson

re range

You’ve addressed the address range problem with quite a number of creative solutions. I can see that working for especially simple or embedded machines. Not as sure for complex desktops or servers where there’d be lots of indirection and windows. Maybe on that one.

The throughput and storage benefits of higher bits remain. Most numbers and values I see in real-world applications can’t be held in 8 bits. This means a simple instruction must become a number of them executed sequentially. That kills efficiency and is one of the reasons supercomputers settled on a minimum of 32 bits for data. This was true for DSM’s, vector processors, NUMA, and clusters. Mainframes as well. Dropping to representations that your data can’t fit in kills throughput. Do you have examples of 8-bit CPU’s working on 32-bit numbers as efficiently as 32-bit CPU’s? It’s necessary because much of the work is inherently sequential.

re “Further the short virtual memory addresses makes the generation of the RISC microcode/instructions much more efficient and tailored to the tasklet in each prison, alowing more to be done with less because of the tailored and optomised approach. ”

That can definitely improve performance on many algorithms. I’ve advocated the microcode aspect myself.

“The advantage is that coding up the task as RTL microcode and custom instructions gives a high degree of flexibility and efficiency as well as speed. One future of parallel computing will be not by using multiple traditional “general purpose X bit CPUs” but by using highly configerable CPUs.”

One issue we have in this debate is that your thinking has evolved based on our discussions here, I reviewed your original statements, and your rebuttal differs from them significantly. For instance, what you just described is the Tensilica approach I gave you in 2012 in response to your post referencing whole “CPU blocks” mediated by a state machine hypervisor. (Tensilica is in comment below.) It’s also similar to NISC architecture I referenced here a number of times. So, your original architecture references simple, CPU cores while your current reply is talking about Tensilica/NISC-style systems with mediation.

Doing that is one of the quirks in your writing. Nothing wrong with evolving views as my own have changed as I learned during our discussions. My MPP security architecture was obviously influenced by your Prison proposals, for instance. It might help, though, if you sit down and come up with a clear picture of your Prison architecture as you see it today. I critiqued Prison v1 after digging through lots of comments where you gave specific, technical details (cited a few later on in that thread). Your current description, Prison v2, is more efficient and has less implementation issues than the original. The confusion arises from the fact that we are debating effectively two different designs as if they’re the same when you’ve clearly upgraded it with the results our prior discussions and your own research.

It might be worth detailing the concept, ensuring its consistency, describing how it might be implemented with methods that exist today, where it might be improved with future R&D, and putting it all in one post on a Squid thread for easy reference/reading. Then everyone (esp Wael and Thoth) will all be on the same page as to what exactly you’re describing and evaluate it fairly. I’ve done this myself and plan to do it again for my framework in near future: nobody is going to (or should be expected to) comb through thousands of my posts trying to understand what I describe in a comment. I provide indexes and revisions instead.

The other benefit to you doing this is that it might benefit the work of those thinking in similar directions as you. Quite a number of them I’ve seen. Plus, ideas like the window scheme for working with large amounts of memory in tiny CPU’s might be beneficial by themselves for those building homebrew systems.

Nick P • February 10, 2015 5:30 PM

@ All re FPGA’s

A lot of interesting stuff on eBay as usual. However, this seems more interesting than usual because of what it comes with: Xilinx Vivado Design/Synthesis tools, tutorials, lectures, and game building examples. Vanilla Spartan-6 dev boards from Xilinx are around $250 while this is $350. Might be a decent buy.

Nick P • February 11, 2015 10:59 AM

@ Andrew_K

I assume it’s to come into feature parity with IBM’s AIX: the reigning king of UNIX OS uptime. One of it’s proponents bragged they could live update their kernels to avoid downtime. While it has a bit of security risk, it’s actually a good idea where downtime is considered a greater security threat. Mission critical enterprise apps, mainly.