qconsf10-marcstiegler

8/7/2019 QConSF10-MarcStiegler

1/16

2010 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Security vs.

SecurityArchitecture

Marc Stiegler

HP Labs

Exascale Computing


2/16

October 20, 2010 2

What is a Security Architecture?

Layout/interrelationship of securityelements

Can a system be more secure than itsarchitecture?

No

Can a system be more secure than theimplementations of its elements?

Yes if it is a good architecture


3/16

October 20, 2010 3

Central Points of Failure: AGreat Idea?

U

U

U

U

U

CPF

U

U U

CA

U

U U

Auto

Update

Monster

Store


4/16

October 20, 2010 4

Anything that can be done foryou can be done to you

Certificate authorities and spoofing keysSold to anyone who pretends to be a fed

How can anyone be surprised?

The company in question is known as Packet Forensics.... According to theflyer: "Users have the ability to import a copy of any legitimate key they

obtain (potentially by court order) or they can generate 'look-alike' keys

designed to give the subject a false sense of confidence in its authenticity."

The product is recommended to government investigators, saying "IP

communication dictates the need to examine encrypted traffic at will." And,

"Your investigative staff will collect its best evidence while users are lulledinto a false sense of security afforded by web, e-mail or VOIP encryption."

Bruce Schneier:

http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html


5/16

October 20, 2010 5

Popular Modern Day SecurityArchitectures

Independence Day Evil Alien

Barn Door

Street Lamp

Gilded Cage

One Word to Rule Them All

Gone Phishin

Eggshell Perimeter

Theater in the Round

Blame the Victim

MacroWarnings

Vista

Firewalls

Java Applet

Executables

In Zip Files

Liberty

Alliance/

Higgins/

Bandit

OAuth

Virus

Checkers

CertificateAuthority

Windows

Patch

Update

JavaScript

Sandbox

Invisible

Email

Attachments

Firefox

Patch

Update

OpenID

Ubuntu

Patch

Update

UM

A

Viper MK VII

Cert Alert

Monolog Box

C++

Fed

Wiretap

Backdoor

Intrusion

Detection


6/16

October 20, 2010 6

Principle of Least Authority(POLA)

Give person/object everythingthey needand nothing else

More Authority

Secure

Effectiveness

Minimum needed for goal = POLA

Abusable

Power

Maximum business opportunity

Gilded

Cage

One Word

Work

Undone

How do Theater and

Blame fit in?


7/16October 20, 2010 7

POLA Aspects

Barn

Door

Object

Level

Evil

Alien

POLA

Peer

To

Peer

With

DesignationGilded

Cage

One

Word

Gone

Phishing

Rich

Sharing

Defense

In

Depth

Egg

Shell

Theater

Blame

StreetLamp


8/16October 20, 2010 8

Defense In Depth vs. Eggshell

ApplicationFramework Kernel:

Full User Power

SCoopFS Mailbox, an approximate example

Framework

nonKernel

components

-Pal References

-Read/Write App Store

-File Dialog

Mbox AppMain

Pal Mgr-Pals

Email Mgr-App Store

Attachment Mgr-File Dialog

Pal-In/Out Chans

Pal Out Chan-Out Chan

User

Prefs

Pal In Chan-Notifier

Attack

Vector

Notifier

As we move away from core, less authority needed

Strong review/inspection.

No low hanging fruit


9/16

Gilded Cage vs. Rich Sharing

AttenuatedDynamic Chained

Cross Domain

Accountable

Recomposable


10/16October 20, 2010 10

POLA Implementation

Object

LevelPOLA

Peer

To

Peer

WithDesignation

Object

Capabilities

Web

Keys

Object

Capabilities

Java

Script

Caja

JavaJoe-E

Tahoe

Encrypted Web File Store


11/16October 20, 2010 11

Demos

Purse ShareShell


12/16October 20, 2010 12

ShareShell: Scoring

Independence Day Evil Alien

Barn Door

Street Lamp

Gilded Cage

One Word to Rule Them All

Gone Phishin

Eggshell Perimeter

Theater in the Round

Blame the Victim

8 (insecure OS, Windows/Linux)

9 (Revocation if abused)

7 (https, java, os standards)

9 (inexpressible attenuations )

10

9 (vulnerable at first connect)

9 (shallow defense in depth)

9 (cert at first connect)

10


13/16October 20, 2010 13

Backups


14/16October 20, 2010 14

Webkey Decision Matrix


15/16October 20, 2010 1515

Eggshell/Barn Door

Mail Tool (Outlook, Evolution, etc.)

Address

Book

Sender

Rendering

Engine

All User Power

Receiver

JPEG attack subverts renderer

Uses addresses and sender

Any Breach == Full Breach


16/16October 20, 2010 1616

Defense In Depth/POLA

Powerbox

All User Power

Main

Address

Book

Rendering

Engine

Sender

ReceiverJPEG attack subverts renderer

No access to sender, addresses

Modularize Authority, not just Code

qconsf10-marcstiegler

Documents