qconsf10-marcstiegler
TRANSCRIPT
-
8/7/2019 QConSF10-MarcStiegler
1/16
2010 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Security vs.
SecurityArchitecture
Marc Stiegler
HP Labs
Exascale Computing
-
8/7/2019 QConSF10-MarcStiegler
2/16
October 20, 2010 2
What is a Security Architecture?
Layout/interrelationship of securityelements
Can a system be more secure than itsarchitecture?
No
Can a system be more secure than theimplementations of its elements?
Yes if it is a good architecture
-
8/7/2019 QConSF10-MarcStiegler
3/16
October 20, 2010 3
Central Points of Failure: AGreat Idea?
U
U
U
U
U
CPF
U
U U
CA
U
U U
Auto
Update
Monster
Store
-
8/7/2019 QConSF10-MarcStiegler
4/16
October 20, 2010 4
Anything that can be done foryou can be done to you
Certificate authorities and spoofing keysSold to anyone who pretends to be a fed
How can anyone be surprised?
The company in question is known as Packet Forensics.... According to theflyer: "Users have the ability to import a copy of any legitimate key they
obtain (potentially by court order) or they can generate 'look-alike' keys
designed to give the subject a false sense of confidence in its authenticity."
The product is recommended to government investigators, saying "IP
communication dictates the need to examine encrypted traffic at will." And,
"Your investigative staff will collect its best evidence while users are lulledinto a false sense of security afforded by web, e-mail or VOIP encryption."
Bruce Schneier:
http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html
-
8/7/2019 QConSF10-MarcStiegler
5/16
October 20, 2010 5
Popular Modern Day SecurityArchitectures
Independence Day Evil Alien
Barn Door
Street Lamp
Gilded Cage
One Word to Rule Them All
Gone Phishin
Eggshell Perimeter
Theater in the Round
Blame the Victim
MacroWarnings
Vista
Firewalls
Java Applet
Executables
In Zip Files
Liberty
Alliance/
Higgins/
Bandit
OAuth
Virus
Checkers
CertificateAuthority
Windows
Patch
Update
JavaScript
Sandbox
Invisible
Email
Attachments
Firefox
Patch
Update
OpenID
Ubuntu
Patch
Update
UM
A
Viper MK VII
Cert Alert
Monolog Box
C++
Fed
Wiretap
Backdoor
Intrusion
Detection
-
8/7/2019 QConSF10-MarcStiegler
6/16
October 20, 2010 6
Principle of Least Authority(POLA)
Give person/object everythingthey needand nothing else
More Authority
Secure
Effectiveness
Minimum needed for goal = POLA
Abusable
Power
Maximum business opportunity
Gilded
Cage
One Word
Work
Undone
How do Theater and
Blame fit in?
-
8/7/2019 QConSF10-MarcStiegler
7/16October 20, 2010 7
POLA Aspects
Barn
Door
Object
Level
Evil
Alien
POLA
Peer
To
Peer
With
DesignationGilded
Cage
One
Word
Gone
Phishing
Rich
Sharing
Defense
In
Depth
Egg
Shell
Theater
Blame
StreetLamp
-
8/7/2019 QConSF10-MarcStiegler
8/16October 20, 2010 8
Defense In Depth vs. Eggshell
ApplicationFramework Kernel:
Full User Power
SCoopFS Mailbox, an approximate example
Framework
nonKernel
components
-Pal References
-Read/Write App Store
-File Dialog
Mbox AppMain
Pal Mgr-Pals
Email Mgr-App Store
Attachment Mgr-File Dialog
Pal-In/Out Chans
Pal Out Chan-Out Chan
User
Prefs
Pal In Chan-Notifier
Attack
Vector
Notifier
As we move away from core, less authority needed
Strong review/inspection.
No low hanging fruit
-
8/7/2019 QConSF10-MarcStiegler
9/16
Gilded Cage vs. Rich Sharing
AttenuatedDynamic Chained
Cross Domain
Accountable
Recomposable
-
8/7/2019 QConSF10-MarcStiegler
10/16October 20, 2010 10
POLA Implementation
Object
LevelPOLA
Peer
To
Peer
WithDesignation
Object
Capabilities
Web
Keys
Object
Capabilities
Java
Script
Caja
JavaJoe-E
Tahoe
Encrypted Web File Store
-
8/7/2019 QConSF10-MarcStiegler
11/16October 20, 2010 11
Demos
Purse ShareShell
-
8/7/2019 QConSF10-MarcStiegler
12/16October 20, 2010 12
ShareShell: Scoring
Independence Day Evil Alien
Barn Door
Street Lamp
Gilded Cage
One Word to Rule Them All
Gone Phishin
Eggshell Perimeter
Theater in the Round
Blame the Victim
8 (insecure OS, Windows/Linux)
9 (Revocation if abused)
7 (https, java, os standards)
9 (inexpressible attenuations )
10
9 (vulnerable at first connect)
9 (shallow defense in depth)
9 (cert at first connect)
10
-
8/7/2019 QConSF10-MarcStiegler
13/16October 20, 2010 13
Backups
-
8/7/2019 QConSF10-MarcStiegler
14/16October 20, 2010 14
Webkey Decision Matrix
-
8/7/2019 QConSF10-MarcStiegler
15/16October 20, 2010 1515
Eggshell/Barn Door
Mail Tool (Outlook, Evolution, etc.)
Address
Book
Sender
Rendering
Engine
All User Power
Receiver
JPEG attack subverts renderer
Uses addresses and sender
Any Breach == Full Breach
-
8/7/2019 QConSF10-MarcStiegler
16/16October 20, 2010 1616
Defense In Depth/POLA
Powerbox
All User Power
Main
Address
Book
Rendering
Engine
Sender
ReceiverJPEG attack subverts renderer
No access to sender, addresses
Modularize Authority, not just Code