Schneier on Security

Nick P • July 13, 2016 1:01 PM

A thread on Hacker News references an attempt to replace core banking with buzzwords and such. I decided to do a brief write-up on how I’d go about it keeping banks’ agenda in mind. Plus, I don’t like startups that might sell out or the word “cloud.” 😉 Re-posted here for your consideration.

“Alright, my turn. The bankers want back-end software that’s near 100% uptime, cost-effective, future-proof, flexible for integrations, and secure. They have all of those but cost-effective and flexible. The next architecture will have to do better on those. We’ll start with a sort-of, three-tier architecture & client-server model since those have been analyzed to death with tons of tool support for getting them right.

First, the datastore that simply stores raw data everything else depends on. The datastore will be bootstrapped on HP NonStop or OpenVMS clusters to inherit their high-availability. These systems already run banking backends in multiple datacenters with automatic failover and no lost transactions in specific, case studies. Decade plus uptime is not uncommon. They’re also way cheaper than mainframes with more support for modern SW & easier to access for ISV’s. The software itself will be built to have minimal dependence on underlying platform with tools to rapidly export data, sync with, or switch to a replacement. The will be a licensed copy of Google’s F0 RDBMS on OpenBSD & reliable servers rewritten in the manner about to be described. If not, then something similar. 🙂

The core, banking stack. This is the banking software for withdrawls, deposits, basic security checks, audit events, and so on. Anything that’s happening constantly in real-time with high-criticality. This will be contracted to Altran/Praxis who will apply Correct-by-Construction method to produce it in C, SPARK, and Rust simultaneously. Best available tools for static analysis and testing will be applied to each to catch whatever others miss. Prior work in just SPARK has almost no defects. A combination of simplified components with extra checkers should further reduce that. The protocols will be contracted to Galois Inc to do in TLA+ and Haskell. Especially generic, secure, messaging protocols to replace SWIFT. Altran will implement anything Galois finalizes to integrate with rest of system. Paid, peer review by people with track record of finding esoteric flaws will occur for each of the deliverables.

The client, presentation, and application layers’ hardware will be SAFE architecture (crash-safe.org) or CHERI CPU’s (CheriBSD). These will be implemented with Leon3-FT processors on a Silicon-on-Insulator node with ChipKill and ECC RAM. They will run minimal OS’s created for embedded systems with proven reliability & performance. Those will be modified to support security features of processors plus support security labels for users & apps. Each machine, a la DiamondTEK LAN, will have PCI cards (or on-SOC HW) that authenticates users on trusted path, checks system integrity, end-to-end encrypts all data, and especially tags/checks packets with security labels of users & apps. Specific hardware modules will exist with data diodes to constantly sniff network, transaction, and audit trails to check them against a security policy. Similar one for reliability and performance of network.

The software stack will akin to REBOL’s reblets and container apps. The apps will be isolated on microkernels with basic, GUI forms. These apps will be developed in both a safe, systems language plus an information flow language like SIF. The systems will be shown with analysis & testing to be free of common errors. Information flow analysis will prevent common forms of information leak and security breach. The apps will integrate with trusted hardware to pass labels along. The server apps will pick up those labels & continue to factor them into their operations. Over time, the tooling will mature to automate these operations with only basic annotations by programmers plus a formal, security policy by administrators.

People still need to get work done in terms of Internet research, report writing, and so on. OSS apps for these will be ported to the platform overtime. Meanwhile, the client-nodes will support physical virtualization whereby those nodes can run on a PC with mediated, information sharing and built-in KVM. Users simply press a button to be in a regular desktop. Documents and such will be done in easy-to-analyze formats that are checked by a guard upon transfer. Those files are also labeled. Anything that goes into the trusted machine will be shown in text form for visual confirmation by operator plus automatically sanity-checked & logged for any other auditing. Overall process will be like switching tabs + drag n drop to encourage users to work with security features instead of against them.

The corporate itself will be a non-profit. The charter will put a cap on how much profit it can take with a lean approach to administrative expenses, limits on executive compensation, and limits on management-to-staff ratio. Incoming revenue is to be put into further QA/pentesting of platform, development of it, support to customers, consulting for integration/extensions, datacenters for availability, and so on. The nonprofit will be established in a jurisdiction with strong laws favorable to honest banking plus minimal corruption. Its operations will be audited by third-parties who also have their own, dedicated hardware & cages. These factors will collectively eliminate or reduce the risks of VC-backed sellouts, management cooking the books, top-heavy organizations, and stagnation from lock-in.

OK. So, let’s summarize. The hardware itself will be simple but highly reliable. The software is done in languages immune to most coding errors with high-level properties precisely specified, checked, and pentested. The two integrate well to eliminate abstraction gap attacks. The initial backend is software that has over a decade of uptime with modern stuff coming online if possible. The non-core apps on client and server encode sensible use into information flow policies that are checked in several places & efficiently. All apps and network are black-box to attackers with tons of defense in depth. Insider risk reduced as they put individual name & reputation on each action with mutually-suspicious auditing they can’t remotely sabotage due to data diodes. All of this tech already exists in either prototype or production form with suitable substitutes for prototypes that turn out infeasible to use. It’s also legally setup to be more trustworthy in terms of what people will do & long-term benefit. Initial development costs would be huge but the first year without mainframes and SWIFT will probably pay it off. Especially spread out among numerous banks investing.”

Nick P • July 13, 2016 3:45 PM

@ r

I was in both threads so it’s all good. 😉 Yeah, the banks mainly push the cost on us. Other thing is they don’t want to risk stuff crashing down. Finally, there’s probably plenty of schemes in those systems benefiting people that are currently invisible.

Nick P • July 14, 2016 10:23 AM

@ Figureitout

As usual, a mix of useful questions and being negative for the sake of negative by ignoring information in my post. I’ll addess the latter first as there’s only a few this time. Progress. 😛

“Is Altran/Praxis or Galois up-to-date w/ banking regulations/specs? These are typically at least 200 pages of legalize, banking it’s probably no less than 1000 pages of info that needs to be accounted for.”

No, they’re obviously going to build the systems. The domain requirements are done by domain experts as in every successful project in existence. What has to be put into a computer will be discussed with and eventually handed off to the tech people.

“Who’s doing the peer review that’s not going to be a waste of money?”

Like in the comment, people with prior experience both finding hard-to-spot bugs in systems and publishing them. That they looked for a while, found stuff others missed, and reported it establishes credibility. One can offer bonuses for bugs found on top of dedicate pay for time put in.

“who provides support when things fail (which they will) when you have OpenBSD (not sure of Google support, never used).”

You’ve never heard of OpenBSD, OpenVMS, or NonStop? How all their users talk about them basically never failing with a reboot or restore being worst-case with such quality? How two of those are supported by multi-billion dollar companies running entire Fortune 500 companies “nonstop” for decades with clustering that automates recovery & didn’t miss any transactions in real-world disasters? And you assume they’ll just crash down entirely then imply nobody can do something about it? Lol…

“What products combine Ada, Rust, SPARK, and C?”

The contracted work I just described in the comment.

“Replacing SWIFT, w/ a new protocol. How would that be designed?”

Re-read the comment. Galois will design it like they design everything else. I’ve already described their work here. Likely a re-configuration of a proven one with solid implementation.

“So, as usual, way way too much for a security project; way too much opportunities to fail. ”

As opposed to the same, damned thing on monolothic systems, C/C++/COBOL code, Windows boxes, Cisco routers, and security-by-obscurity mainframes? That works most of the time despite horrid security and architecture. Mine would be more secure by design, detect problems more easily, & more recoverable so fail isn’t apt description at all compared to existing situation.

Now, to your legitimate questions that my comment didn’t already answer or imply.

“SAFE project hasn’t updated papers since March 2015”

Google gave me different results (below). The PUMP is done. They’ve already designed it, tested it, ran lots of policies, and so on. Just needs to be added to real CPU. Draper is putting a PUMP on RISC-V then trying to build an ecosystem and brand out of secure CPU’s. That’s hopeful. Just look at micro-policies supported to see how insanely flexible their mechanism is. I prefer hard-coding a few of those but I’ll take a PUMP over a mere MMU any day. Plus, some of those policies will work wonders for debugging system code. By itself might justify the cost for businesses that already spend big $$$ on development tools.

http://riscv.org/wp-content/uploads/2016/01/Wed1430-dover_riscv_jan2016_v3.pdf

“What specific OS on embedded chips do you run, I thought it was CheriBSD? Where is this embedded OS running then?”

Which embedded chips? The PCI guards? There’s a few you can use with high-security profile. I’ve already written tons on that topic. Pick whatever is the best deal at time of development. The cool thing is that the system is tiny. Takes almost no functionality. So, you could just as easily strip out all non-critical stuff in a BSD or apply full-safety techniques to a RTOS. There’s almost nothing to evaluate with most stuff running compartmentalized in safe languages. Plus, pick whatever CPU you want without Intel’s baggage and BS (esp ME). It’s why I love coprocessor model.

“How are the endpoints doing the data diode sniffing secured? What hardware, what are they running?”

Same as above. You pick what works for you. For example, SVA-OS adds security checks to the key hardware resources and to all the code in Linux kernel. Combine a technique like that with stripped-down OS, trusted boot, IOMMU, append-only filesystem for logs, and serial port for administration to get quite a bit of security. I mean, what are they going to do remotely without a code-injection opportunity or ability to see results of commands? Not shit. Have diverse monitors that both monitor the network and each other on top of that if you want. Sneak microcontrollers in that do nothing but sniff memory or data busses for anomalous stuff.

“Why support KVM? Just more crap to support.”

A Keyboard-Video-Mouse switch is one of the strongest forms of separation in existence. You can implement it as a button or switch that physically disconnects your KVM from one PC then connects to another. Many cheap ones probably do it in software or on MCU. Obviously, I’d do it the stronger way. You want to pick the untrusted hardware carefully though so I doesn’t leak around that somehow. There’s companies specializing in combining desktop-style components with embedded boards.

“What guard? Where is all this extra hardware features being supported in? CheriBSD or the embedded OS?”

That hasn’t been determined. Better to decide on it once other stuff is figured out. Essentially, it can be onboard software (weak/fast-transfer/cheap), network appliance (strong/slow/mid-cost), or onboard embedded (strong/fast/higher-cost). Can mix these, too, where content easy to analyze goes over software but rough stuff goes to high-strength options. That the software is written safely, is isolated, and results checked help things a lot.

“No novel defenses for insider attacks, that risk remains the same in this scheme as presented.”

Bullshit. I just presented total tracing with mutually-suspicious auditing. Knocks out all kinds of insider attacks. Others remain. Banks will be fine with that as they’re among the best at keeping insider damage to an acceptable level. I just reduced that level. Success.

“Limits on executive compensation won’t fly at banks”

It’s flown many times at independent ones, credit unions, and financial non-profits. They still make good money. They just don’t pull $10-15 million a year. Remember, though, that this organization isn’t a bank: it’s a nonprofit that provides software and services to banks. SWIFT is, too, just with narrower focus. Even their money-grubbing asses only spend $16.5 million, that’s short- and long-term expenses, on all their executives and directors combined. I’d pay that if it guaranteed contracts (networking benefits) but if not the number could certainly go down by over half.

@ Thoth

“Heck, even the SafeNet Luna HSM’s on-board OLED screens which are so much dimmer and smaller are also nice to read off. What I meant is they need to step up their efforts. Thales side, the HSM have enough meat to expand the screen a little.”

Makes sense. I didn’t know you worked with Luna’s, too. What was their quality and interfacing like?

“Just make sure the usability and marketing hype side gets a boost. ”

Oh, I will. Buzzwords, high-octane sales team, enterprise support partner, booth babes, and free meals at five star’s for the CTO’s. I know plenty of people that can handle the marketing and sales. I also know how to evaluate them plus people I can trust who are better at that. Get them in on it worst case. Good news is this was mostly a counter-proposal to an Internet article instead of something I’m starting up. I have no intentions to directly compete with banking sector, HP, or IBM. That’s asking to be sued into non-existence. More likely to secure what they have or selectively replace things where secure coprocessors, front-ends, or whatever runs in parallel with existing tech. Big companies still make their money, I make some, and security + speed + flexibility go up for banks. That’s what I’d aim for.

“note that the messaging protocol is inside ISO standards for bank messaging”

Didn’t know that. Wasn’t sure if it was proprietary or open messaging they used. That’s pretty cool then. I get to hold a Wirth-style, formal grammar side-by-side with a printed copy of the SWIFT stack. Then, I say, which do you prefer to have to manage, fix, extend, and support for next few decades? Oh, btw, mine might get simpler over time and allows hot swapping the protocol itself if it ever is inadqueate. Liability conscious mgmt likes such things.

“Whenever I need to reference an electronic banking standard, it makes me want to hide under my desk. ”

I’ve seen many of them. Horrid. The best bet is to get a domain expert with prior experience in them. They work with a group like Praxis to spec it out with quick-and-dirty prototypes for exploration/understanding. Also, divide it up into incremental pieces to assess progress. The group then builds a piece at a time, testing in non-critical sites. Each block that gets built can be licensed competitively to recover some costs. It’s the model that Karger at IBM used to build their EAL7 smartcard OS, policies, and crypto.

“By the way, Guards and Data Diodes are usually not so common or even rare in banks. Those things really hinder traffic and the last thing you want is a frustrated administrator.”

That’s because they work against the apps instead of with them. Remember I’m proposing an integrated architecture. Think like the clouds with their containers and supporting stacks. It’s all smooth because it’s packaged to work seemlessly. Makes things easier for admins as they’re just keystrokes away from getting whatever resources they need. I’m doing something similar with isolated apps on simpler hardware and software. Guard & diodes are in specific parts that admin and user won’t even really see most of the time. For users, it would be drag-and-drop with a background task much like shared folders or printing.

“Don’t be surprise even the Government IT guys don’t even know what is a HSM or more advanced stuff like Guards and Data Diodes”

I expect that. I have arguments suitable for laypeople that I’ve already tested on both lay and IT people. Ironically, I get more resistance from INFOSEC people on INFOSEC techniques as they would clearly work to laypeople once put in their language. They just worry about cost or time involved, which are legit concerns.

“I have looked at community-based Microkernel offerings and none of them are satisfactory.”

They need more work. One of reasons government and commercial sectors are using the commercial microkernels. They at least have paid engineers to fix stuff when it breaks. Plus they have a number of working components. 😉

“There are concerns for hardware backdoors but do you have a workable and ready Off-the-Shelf solution I can purchase ”

That’s incremental. I mentioned building hardware in the proposal. We start with existing stuff in hardened configuration. That bootstraps the product to get money coming in. Justifiable given all competitors have HW problems without our hardening. Then, I selected Leon3-FT as (a) it’s reliable and (b) already ASIC-proven. Could trade reliability for performance with quad-core Leon4 if necessary. I could use their process nodes or do it on a new one. It’s low-risk either way given how it’s designed and how many silicon implementations it’s done. The SAFE, CHERI, Hardbound, whatever modifications are relatively small. Basic IOMMU and trusted boot are small. Low gates + pre-proven HDL = lower risk.

“To step up security assurance, I am slowly feeding companies and organisations I deem responsive and willing to improve with ideas (and even blueprints). One example is the Ledger guys who made the Ledger Blue (and now the Ledger Nano S) which some of the ideas I have contributed and given feedback as I foresee their capability in producing higher security assurance security devices ”

Good. Keep it up. I’m putting a little review into Ron Garrett’s HSM right now. It’s for host compromise with no physical or EMSEC security. Unlike smartcards, it does have a trusted path for user. Costs about $60 in limited quantities. Interesting.

@ r

It’s a problem. Not as much as you’d think, though. Altran (formerly Praxis) is said to charge a 50% premium for nearly, no-defect systems. That’s not so bad. LOCK had a nice breakdown of what A1 assurance costs for a system with custom HW, an OS, user-space software, and a 3rd party coprocessor. It was 58% for A1-related extras on top of regular development process. Cost about a third extra for cryptoprocessor assurance. So, it’s significant, but not unreasonable given databases go for $70,000+ a CPU and mainframes for $25 million a system most of which are profit. Plenty of opportunities to sneak in high assurance by just saying it’s reliable, secure, and quickly fixed product with (desirable features) at (acceptable price for offering) which pays for assurance over time. Incrementally as Thoth said and illustrated here by legendary Paul Karger for smartcards.

Nick P • July 15, 2016 2:41 PM

@ r

As Thoth said, your chips are usually drawing power at some level unless the mechanism flips a physical switch or something. What happens is some components that use almost no power stay awake to watch for reasons to turn the rest back on. The earliest devices for that were 4-bit MCU’s for wristwatches, electric razors, and so on. Other data on low-power circuits here:

https://en.m.wikipedia.org/wiki/Low-power_electronics

For high-performance ones, they use something called clock/power gating. Similarly lets you keep gates off much of the time.