Schneier on Security

Nick P • November 25, 2016 12:10 PM

I’m with Bruce on bringing in regulations or liability. I know it brings a ton of speculation and counterpoints when brought up. I think the one’s I see on Hacker News are worth addressing collectively since they turn up constantly on any forum. They reflect a consensus of concerns by IT & business people in general. Here goes with concerns paraphrased.

“I’m don’t know if security for software could be encoded into regulations.” “If it could be, I’m not sure it could lead to more secure software.”

It was done successfully before. Resulted in most secure products ever to exist. A few still use such methods with excellent results during pentests. Also preempted major vulnerabilities in popular stuff. Such methods would’ve also prevented a good chunk of Snowden leaks and TAO catalog. Bell, of Bell-LaPadula security model, describes it here:

http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-Back-Addendum.pdf

Examples included Boeing SNS server (going strong 20+ years), BAE XTS-400, Aesec GEMSOS, esp KeyKOS, a secure VMM, an embedded OS in Ada, GUI’s immune to keylogging/spoofing, databases immune to external leaks, and so on. CompSci projects with practical bent had even more stuff. Such research continues today but is a trickle compared to, say, Java extensions or machine learning stuff. Same thing happened with DO-178B, etc for safety-critical markets: tons of high-quality components showed up with many reusable.

“So then I guess you also want a Personal Computer or Home Security System to be $1,000,000.”

“You’re mentioning an industry funded by about 1/6th[0] of the Federal Budget related to war and consequences if things go wrong. Just cuz it worked for the DOD doesn’t mean it will work for anything else.”

If we’re increasing the baseline, there’s companies size of startups that do it all the time while remaining lean in expenses with speed in development. An example of low-defect methodology was Cleanroom that varied from reducing costs to neutral to slightly increasing them. Complexity could still be high as Cleanroom just forced better structuring. Cost and speed overall unaffected on average since up-front quality reduced debugging and maintenance phase costs so much. Finally, for high-assurance, applying it to well-understood problem areas… such as TCB’s, VPN’s, or compilers… ranged from 35-50% premium on top of normal development process. Nearly unhackable Windows at $150 instead of $100 sounds like a steal.

Main drawback of highest security is loss of development speed. The amount of rigor on problems with unknowns means you are going to spend quite a bit of time on modeling them, analyzing them, prototyping them, pentesting that, and so on. Lipner, when leading VAX VMM for high-assurance, said it too “two to three quarters” to implement a major change in the product. Probably weeks to a month with crud approach common in industry. They also had less features due to (a) need to figure out how to secure them and (b) esp complexity & inherent insecurity of many standard features. High-assurance systems would need to pick ZeroMQ over OLE or CORBA, JSON over XML, native apps over web apps, Modula-3 over C++, musl over whatever GNU builds, and so on. Throwing stuff together with no thinking about effect of their architecture, coding style, or implementation tooling will go down in huge way for products with high assurance requirements. This would be opposed by a lot of people. Even “INFOSEC” people that I see. 😉

Quick note on pricing. Remember that the extra cost get spread out among large numbers of users. If one survives the initial development, then the resulting software gets cheaper as it grows. The idea that we’re spending a million for Windows or Oracle is ridiculous. On per-customer basis, it would probably have the same ridiculous price it has now if medium assurance under Cleanroom with a safe language.

“The free market crowd would argue that the surviving companies will bake in the right security if consumers demand it. If companies don’t take it seriously, either their customers aren’t demanding it, or they will be replaced by companies that do a good job at it.”

I argue this myself. However, let’s include the caveats of cartel and otherwise malicious behavior againts consumers that reduces the impact of that preference:

Companies lie to customers about how necessary these vulnerabilities are. They condition them to expect it. They also charge them for fixes. It takes almost no effort to knock out the common ones with only 30-50% premium for high-assurance of specific components. Even premium producers often don’t do either with those that do so rare most consumers or businesses might have never heard of them.

Years of lock-in via legacy code, API’s, formats, patents, etc means consumers often don’t have a choice or only have a few if they want the modern experience. Many times specific choices will even be mandated by groups like colleges. Market created the problem that now lets it milk a captive audience out of money. It won’t solve that problem no matter what they want.

First Mover advantage, lock-in techniques like obscure formats, and patents combine by themselves to give rise to the situation we’re in. Two of those are protected by government. They will need to be solved at government level. Or just force the incumbents to provide increased security in what they lock us into.

“I mean the only reason lawmakers and regulators are not all over this issue is because they don’t realise how bad things are.”

They realize it. Impenetrable systems are also impenetrable to FBI and NSA which advise against the good stuff being mandated. The bribes they take from COTS vendors also brought in a preference for insecure solutions from samd vendors. Everyone paying them wants to maximize profit, too. Costly rewrites will cut into that.

So, they’re willingly covering their ears while sitting on their asses. At least those on major committees.

“What would a better version of the situation look like that would preserve benefits of the Internet while dealing with events like massive DDOS’s?”

A combo of per-customer authentication at packet-level, DDOS monitoring, and rate limiting (or termination) of specific connection upon DDOS or malicious activity. That by itself would stop a lot of these right at the Tier 3 ISP level. Trickle those suckers down to dialup speeds with a notice telling them their computer is being used in a crime with a link to helpful ways on dealing with it (or support number).

Far as design, they could put cheap knockoff of an INFOSEC guard in their modems with CPU’s resistant to code injection. Include accelerators for networking functions and/or some DDOS detection (esp low-layer flooding) right at that device.

https://en.wikipedia.org/wiki/Guard_(information_security)

Old one from high-assurance field, albeit with medium rating, that did what I’m describing in an Ethernet, card computer:

https://web.archive.org/web/20040623100328/http://www.cryptek.com/SecureNetworks/products_diamtek_dia_link.php

Modern implementation could probably be done in a cheap clone and security-enhanced mod of this product:

https://www.cavium.com/OCTEON-II_CN68XX.html

Nick P • November 25, 2016 1:49 PM

re OpenBSD and you

I’m tempted to demolish it right now on Lobsters. I’m going to hold off given I’m trying to relax a bit today & that’s a prime hangout for OpenBSD devs. Has jcs not disabled downvotes, they’d have made the shit disappear for sure haha. I’ll submit the rebuttal as a story later. Let’s prototype and discuss it, here, though. 🙂

“OpenBSD has been around for more than 20 years (October 1995)”

I’ll let them have this claim. It’s probably true.

“OpenBSD is proactively secure with only 2 remote holes in default install in 20+ years.” (my emphasis added)

Now, this is a pile of bullshit. We start here. First, the competition includes whatever services and apps people might need. OpenBSD in same presentation comes with all services, even OpenSSH, disabled by default. In other words, anyone who didn’t use any services or apps on OpenBSD only had 2 remote holes by their count. Is that how it’s deployed in the real world, though? I imagine there were more problems than that when people used it in combination with actual software.

Next is the foundational problem here. They find and fix bugs in their C language code all the time. Sometimes, they find a new class or pattern of bugs they then look for all over their code base. What they don’t do is stop to assess whether the bug could be turned into a vulnerability. That is, they count what they find as bugs not vulnerabilities. Except for those 2 for some reason. Whereas, most bug hunters for Linux or Windows try to write an exploit for what they find then call them vulnerabilities. It’s really dishonest to claim only two, remote holes in default install if there’s been a crapload of bugs found in default install with them just not assessing whether they were vulnerabilities.

I rate that common claim by OpenBSD proponents as a straight-up lie. Pure propaganda. The common case for bugs vs vulnerabilities predicts at least one of those bugs they found was a vulnerability. Probably a lot more.

“OpenBSD pioneered and is still leading in code audit.”

Code auditing actually started with the people who independently invented softare engineering around same period of time:

1. Bob Barton’s 1950’s proposal called for higher-level CPU’s, safer languages like ALGOL60 for OS code, and teams of people from development to verification. They used that in Burroughs B5000.
2. Dijkstra (and/or Hoare due to fuzzy memory) came up with concept of making software modular, putting checks at interface in each module, carefully scrutinizing code for correctness, and using formal specs for them. The resulting THE multiprocessing system was one of most reliable OS’s ever built at the time.
3. Margaret Hamilton at Apollo ran a team specializing in writing software correctly with a least two modules handed off to them. She and her people focused on correct specs (esp with formal notations), interface checks, careful writing of code, reviewing of all code, and testing everything. She coined term “software engineering” to describe such activities. She also used asynchronous execution with monitors and human-in-the-loop recovery in case the software broke due to hardware problems or just unforseen software errors. Her team’s code ran error-free for the duration of the mission plus saved it when another party screwed up.

That’s where correct software came from. Later, in the 1970’s, Fagan at IBM pioneered code auditing as a formal process via his Software Inspection Process. Like Hamilton, he noticed many types of errors were recurring patterns. His SIP put them on a check list, had team dedicate time to finding those, fixed them by priority, and surprised management with apps that performed correctly more often. Instituted that at parts of IBM plus lots of other companies through his consulting career.

So far, a select group of proprietary, academic, and government-funded software was the highest in quality with strong, review processes. The high-assurance, security field took this to the whole lifecycle of software by late 70’s to early 80’s with first system (SCOMP) finished in mid-80’s. So, before 1990, only secure OS’s were STOP OS in SCOMP (1986), Karger’s VAX VMM, GEMSOS in BLACKER VPN, Boeing’s MLS LAN (aka SNS Server) in 1989, and LOCK’s kernel w/ UNIX layer around 1992. These methods kept proving to work well during penetration tests with numerous 3rd-party projects built on them. None of these were never compromised in the field from what data I’ve found. Although, I’m sure experts could find something if source was released. 😉

The high-assurance, security community also tried those methods on UNIX. The goal was to see if UNIX could even be secured with its complexity (“dozens of system calls” lol) and backward compatibility with how UNIX apps used it. UCLA Secure UNIX (1980) got the earliest treatment with it decomposed carefully, a formally-specified security kernel at bottom, and attempt to reduce information leaks by covert channels. It wasn’t promising: architecture, API’s, and complexity inherently caused problems that could only be closed by breaking backward compatibility & rewriting apps. Commercial sector tried anyway for medium-assurance solutions Secure Xenix at IBM in 1987 that didn’t go anywhere. Around 1990 or so, Trusted Information Systems (TIS) built & got evaluated a medium-assurance version called Trusted Xenix that implemented MAC, added a trusted path, tried some covert-channel suppression, and at least got rid of setuid root. It did all this while basically remaining compatible with Xenix apps (including setuid root ones). Kept getting updated and evaluated until version 4 in 1994 IIRC.

OpenBSD shows up in 1995. They fork an insecure UNIX called NetBSD. Their security effort is essentially looking for source code problems and fixing them. They leave the insecure architecture, have no MAC, have no trusted path, no covert-channel analysis, and so on. The product is weaker than Trusted Xenix which itself, due to UNIX-level issues, was weaker than A1-class products like XTS-400, GEMSOS, or LOCK. OpenBSD team does add some code and OS level mitigations ranging from provably eliminating problem to probabilistic (aka hope and prey). They also replace insecure services with those with better protection. More importantly, they release their code for free with source available to hit price points and adoption levels prior solutions could never do.

I think I’ve thoroughly debunked the idea that OpenBSD pioneered source auditing, was the first secure UNIX, or any of that crap. Their assurance of correctness of kernel code might still be less than UCLA Secure UNIX was in 1980. Their architectural security is hit and miss compared to Trusted Xenix of 1990. The ones copycating A1 products, especially separation kernel vendors, are ahead by virtualizing things like Linux in user-mode with all critical stuff running in isolated partitions directly on a 4-12Kloc kernel with mediated communications. That OpenBSD refuses such architectures means they’ll never be as secure as a product done that way. However, I think the user-mode layers could strongly benefit from adding OpenBSD-level mitigations or code quality. I’ve encouraged using a slimmed-down version of OpenBSD itself in those layers for that reason.

“OpenBSD has all security enhancements enabled by default; hard to disable.”

This is true. It’s a good practice. It’s what medium- and high-assurance proprietary systems were required to do under TCSEC & Orange Book.

“OpenBSD is open source, free software, and enabled independent verification”

This is true. It’s a benefit but often overstated. The private stuff I quoted got stronger evaluation because people were paid do that. Some also distributed the source code and evaluation evidence to paying users so their engineers could evaluate it themselves. This claim basically comes off as neutral on security where it can help but might not (see OpenSSL) and isn’t strictly necessary given private parties can evaluate closed-source w/ hash comparisons on binaries. I still prefer it, though, due to FOSS’s benefits outside hunting vulnerabilities plus unknown classes of attack.

“OpenBSD has a high-profile, quality image based on code quality and real world use.”

High-profile among people that love OpenBSD or tiny niche of users. That barely constitutes “high profile” to me. I find this deceptive. Their attention to quality of code and documentation can’t be refuted by anyone that knows about their work. However, OpenBSD is one of the least-used OS’s in existence, virtually no user will have ever heard of it, many sys admins outside of UNIX don’t know about it, and its community was famous for essentially telling people to fuck off if their expectations didn’t match OpenBSD peoples’ and/or they weren’t coding it themselves. By using a different approach, FreeBSD and Linux had tremendous impact powering much of the web, parts of Mac OS X, Linux desktops in corporate/consumer spaces, Android, etc. Those are high-profile and high-impact. OpenBSD is low-impact and low-profile.

It would be different if they said OpenSSH instead. That’s high-profile and high-uptake among server market. Notice how its design and marketing was handled a bit differently than OpenBSD itself. Probably had something to do with it. 😉

“OpenBSD is upstream (origin) for several widely used pieces of software… innovation list”

This is true. They deserve credit for this.

“OpenBSD has been ‘growing up in public’ via public, anonymous CVS (the first of its kind) since 1995 – transparent process, development discussions on public tech @ mailing list.”

This is true but neutral. It doesn’t matter whether a product’s development was public from the start or not if it’s eventually OSS with plenty of review. The strongest ever built were closed-source with some really, strong ones done with cathedral model closed followed by FOSSing it. seL4 is one. Bernstein’s might be another good example depending on whether he developed in private initially. This will happen less now that things like Github are kind of the norm for personal projects. My memory problems are preventing me from evaluating whether it was first to do anonymous CVS for development during or prior to 1995. May or may not be true. Old timers want to chip in on that?

Conclusion

OpenBSD continues to present itself as a legend. That is, a mix of truth and fairy tales. It was not the first, secure UNIX or even project with code auditing. That goes to proprietary, academic, and government groups dating to the early 1960’s. First, secure UNIX’s were done around 15 years before it started with first products proprietary & a few years ahead. It’s still weaker in design and architecture although stronger probably in code quality and probabilistic mitigations. They did develop it transparently with a secure, default configuration. They did create a number of better, real-world protocols/apps to layer on top. They deliberately underreport vulnerabilities to support their claim about 2 holes that’s likely false. They do overall set a positive example for others in terms of code and documentation quality.

This Conclusion written as bullet points on a presentation will probably look different than their own for some time into the future. They love their own legend too much. 🙂