Models for Today’s Security
August 18th 2008 10:51 am
I received an e-mail from a mutual friend named Jim Burrows who was decrying the state of information security, blaming it on the lack of good models for solving modern security problems. I have to agree, and I admit I don’t have a glib answer.
A few weeks back, Gunnar Peterson posted some comments relevant to this discussion of modern security policy, but I haven’t managed to frame response to that one, either.
At least, I can agree that traditional models are broken. I believe there are some fundamentals that remain constant, but the high level attempt to build firewalled enclaves is clearly obsolete (except for a very few special situations).
When one does security seriously, one generally constructs a sort of customized model and embodies it in a set of security requirements (some of us call it ’security policy’) and work from there.
One problem is that the policy generally reflects a certain set of assumptions about the environment, and evolving technology soon finds a reason to break various assumptions. For example, in the 90s some of us thought the Web could be secured if we could avoid active content on web pages. In retrospect that wasn’t entirely true. But in any case, the Web moved inexorably towards active content. Security that assumed passive content was no longer completely effective.
People talk about modeling the immune system and that might be a reasonable thing. But what does that mean in practice?
3 Responses to “Models for Today’s Security”
Leave a Reply
You must be logged in to post a comment.
In large part, what I said in my email was (and forgive me if this gets double posted, something hung the first time):
I’m currently doing some work in identity and credentials, and have been coming to the realization/opinion that both our mental and formal models in the areas of security, identity and trust are inadequate, ill-chosen or both.
My main criticism of our thinking on security is that we tend to use the mental model of the “Motte and Bailey” castle, when the situation is far more complicated, more like an immune system trying to protect a living organism in a world that can never be antiseptic. In trust and identity, it seems we’re working on the mechanisms for federating identity without having a model that allows us to evaluate more fundamental questions like “Why should organization X trust the other members of its federation?”, “What do we actually mean by ‘trust’, ‘reliance’ and ‘assurance’?”, “How do you quantify levels of trust/reliance/assurance?”, “How do organizations that chose different ID federations, PKI models, or the like cooperate, and if you can’t how do you apply digital credentials in the US (let alone the world) with its multi-tiered federated governmental structure and unmanaged free market economy?” Technical questions are interesting puzzles, but I think we need a basic understanding of the issues first.
In the one case I think a new model needs to be adopted in place of an old one, and in the other I think we need to create one. In both cases, if the model is to direct software, network, and credentialing technologies, it has to be formal, rigorous, and eventually quantifiable. And just to complicate that, if the public is going to operate in this environment and understand the systems that they are using, then there has to be a simple non-technical mental model that approximates the formal one well enough that people can have reasonable expectations as to the consequences of their actions.
The short form of my analysis is that what we have is a mess, and we shouldn’t be surprised if doesn’t work and gets worse, unless we do something about it, something that involves some clear analytic thinking. I’m struggling my way through expressing what’s wrong, evaluating some proposed models and improvements and trying to come up with solutions that I can believe in.
JimB.
Jim Burrows on 18 Aug 2008 at 3:42 pm #
1) I like the Gunnar Peterson article. I’m no sure I buy all of the Gelernter visionary stuff, but he at least raises interesting points and Saltzer & Schroeder, for all that they “have dirt under their fingernails”, were working in a technologically very different world. After all at the time that they were writing it, I was dialing into the local ARPAnet IMP, using its guest account and virtual terminalling into the open guest accounts at Harvard, MIT AI, Stanford and London. The level of threat was dramatically different as were the complexities of the system and the capabilities of the software.
2) You raise an interesting question when you say that “modeling the immune system … might be a reasonable thing. But what does that mean in practice?”
I’m working in a private blog of my own on understanding the answer. The first thing that it says is the same as what Dan Kaminsky has been saying was the really important point raised by the DNS flaw he got so much attention for discovering: “The whole “hostile vs. safe” network myth needs to die. Every network is hostile — the DNS bug just made true something that should already have been assumed, but wasn’t. ”
There are no safe networks, not the internet or corporate WANs, or residential LANs or wireless access points. And with 100,000,000 to 150,000,000 zombies in the collective bot heards there never will be. The threats are to numerous and some of them too huge. Our BIOS’s are now as complicated as a serous OS. They are vulnerable and we are vulnerable to them. The digiatl world is no more safe than the biological world. That doesn’t mean that either isn’t a wonderful place. It just means that nowhere is safe.
Security and identity are both statistical. Survival is a matter of playing the odds, and constantly re-evaluating the odds and your strategy. We need to worry not about 100% safe, but “safe enough” to be viewed as “healthy”. We need to keep the balance of the odds in our favor.
And I think it means that we can’t leave our cyber-health to manual processes. We need systems that automatically recognize good and dangerous data and code. We need automated, adaptive protections. The threats are now automated. We will quite simply lose if we don’t adapt to them.
There was a bit in the news the other day about software tools that can diff a software update, deduce the flaw that it fixes and build an exploit to attack it. I suspect taht the process isn’t quite as clever as it was described, but that’s OK. The basic approach is sound and over time can be improved and more fully automated. If there are adaptive malicious infecting agents out there, then there had better be adaptive automatic defenses. That way lies the cyber immune system.
But there are also weaknesses to an immune syste,. They are more heuristic and probabilistic than algorithmic and deterministic. One of the things we are learning today about immune systems is that they don’t do well when they are faced with environments that are either much more or even much less septic than they were designed/developed to handle or if the threats are too alien.
Faced with too few threats, immune systems can fail in three ways:
1) Atrophy and become ineffective.
2) Attack the body they are supposed to protect, producing auto-immune diseases. see the “hygiene hypothesis”.
3) Attack innocuous or beneficial substances resulting in allergies.
Also, really nasty pathogens will target the immune system itself.
The immune system analogy even offers interesting isights into non-cyber security. Just as an immune system that has no legitimate targets can start attacking inappropriate targets giving us allergies and autoimmune systems, and just as too aggressive a focus on antisepsis and antibiotics can breed killer diseases, we can see some interesting parallels in urban security.
Here’s a quick reprise of a longer rant I deliver occassionally. In the late 60’s a police sniper took out a serial killing sniper at the University of Texas. This inspire the notion of “Special Weapons and Tactics” which was quickly adopted in LA. At the time, drug dealers were almost never armed. Drugs had a small time penalty. Guns upped the sentences hugely.
LA SWAT was only needed infrequently for its original purpose. It was highly paid and elite and had almost nothing to do for the 5 years between the Black Panthers and the SLA, so they were used on some drug busts, just to keep in shape. Drug dealers started going armed, and dealing through young armed agents, the street gangs. New highly violent street gangs quickly took over.
Today, two LA street gangs founded in the same year that LA SWAT went live have gone virulent and spread from coast to coast and into the heartland of America. And we are much less safe.
There are two lessons:
1) Immune systems and elite emergency response teams want to be used. If they don’t have an appropriate target, they will find one.
2) Pathogens, both microbial and sociopathic can be bred into extreme virulence by applying extreme measures that allow only the nastiest to survive.
Natural systems are very complex and adaptive and strategies for handling them are likewise complex. You need to understand probability, economics, risk assessment, natural selection and the law of unexpected consequences to know how to deal wit them.
Well that was long and dense, and I didn’t even give my lecture on Paris and Nicolas-Gabriel de La Reynie. Perhaps another time. In any event, I don’t claim to have the answers, just a bunch of questions and a few insights and a lot of analogies and am always looking for someone to kick them around with.
Thanks for bringing me here.
Jim Burrows on 19 Aug 2008 at 5:02 pm #
Cryptosmith Blog…
Rick Smith has a blog called Cryptosmith. Rick has written extensively on authentication, crypto, and other pressing issues. A couple of his posts to point out…
1 Raindrop on 04 Sep 2008 at 11:43 am #