Cloud Computing Discovers Covert Channels

September 15th 2009

A SANS Handler Notebook entry by Toby Kohlenberg reports on data leakage in cloud computing, and links to a terrific paper from some UCSD/MIT people: Ristenpart, Tromer, Shacham, and Savage.

If we set the wayback machine to the early 1970s, we find a paper by Butler Lampson about something called the confinement problem. It’s the same thing. Ristenpart et al pick up some of the threads (like noninterference) though their paper doesn’t point all the way back to Lampson.

This is a hard problem to solve. The only defense right now is if attackers lack the motivation to exploit it.

Continue Reading »

Posted under History of Technology & Security | No Comments »

Time – Again – For Trustworthy Computing

August 21st 2009

Saul Hansell of the Washington Post has posted an article about real time attacks on one-time password tokens like SecurID and SafeWord. The strategy is to steal a user’s one-time password after it is typed in and redirect it to a hacker to exploit immediately. The attack relies on Trojan software that has installed itself in the victim’s computer.SecurID Card

One time passwords were not designed to protect against this type of thing. Once you have that sort of trojan, there’s no way to use your computer reliably. Attackers can intercept what you’re doing, change it to benefit them, and you won’t know what happened until you look at your bank statement.

The only way to protect against such things is to ensure that your computer has not been hacked. This is hard, since there are lots of ways to attack a computer and not nearly as many ways to protect it.

Continue Reading »

Posted under Security | 1 Comment »

LOCK – A trusted computing system

July 18th 2007

The LOCK project (short for LOgical Coprocessing Kernel) developed a “trusted computing system” that implemented multilevel security. LOCK was intended to exceed the requirements for an “A1″ system as defined by the old Trusted Computing System Evaluation Criteria (a.k.a. the TCSEC or “Orange Book”). Continue Reading »

Posted under Security | Comments Off

Multilevel Security and Internet Servers

June 18th 2007

I wrote the following message as part of a discussion on the old Firewalls mailing list in 1996. The message was part of a discussion on the use of MLS technology to protect Internet servers from attack. The basic concepts still apply in some ways, though the threats have evolved in many other ways. Continue Reading »

Posted under Security | Comments Off