Domain: acsac.org
Stories and comments across the archive that link to acsac.org.
Comments · 20
-
Re:Perverse way to drive future CPU upgrades
Found this on wikipedia, but it begs the question, where is the follow-on project?
-
Re:You want security? Start with the OS.
MULTICS eh? Here's an interesting paper looking back on MULTICS security:
Thirty Years Later: Lessons from the Multics Security Evaluation
In spite of the fact that security was a top priority for MULTICS, in spite of the fact that it was written in PL/I rather than C, in spite of the fact that it was a very small, less complex system by today's standards, in spite of the fact that it was more secure than most modern systems, MULTICS was easily penetrated during the security evaluation. So I maintain my original position that writing secure software is hard. So hard that even when people are diligently trying to write secure software, vulnerabilities remain.
MIT's ITS was another system derived from MULTICS, and deliberately insecure. It even had a non-privileged "crash" command to crash the system, and logins were optional.
-
Re:You want security? Start with the OS.
MULTICS eh? Here's an interesting paper looking back on MULTICS security:
Thirty Years Later: Lessons from the Multics Security Evaluation
In spite of the fact that security was a top priority for MULTICS, in spite of the fact that it was written in PL/I rather than C, in spite of the fact that it was a very small, less complex system by today's standards, in spite of the fact that it was more secure than most modern systems, MULTICS was easily penetrated during the security evaluation. So I maintain my original position that writing secure software is hard. So hard that even when people are diligently trying to write secure software, vulnerabilities remain.
MIT's ITS was another system derived from MULTICS, and deliberately insecure. It even had a non-privileged "crash" command to crash the system, and logins were optional.
-
Naive View of Software Development
Code is not crystal, and shouldn't be managed that way: see The Honeymoon Effect in software development.
Given the need for smarter software in the cloud, and the need to refactor old code due to security issues - most good programmers will be employed doing that for some time.
The sky is not f------ (connection lost)
-
Re:Self signed certs.
This is essentially what I proposed in my paper in 2005, only it adds a level of indirection to reduce the amount and volatility of data being added to DNS.
-
Re:Something To Think About
In 2005 I published a paper that proposes essentially this, along with providing an entry for DNS to delegate key query for a domain to a secondary key server (so that only a small number of key fingerprints need to be added to DNS for a domain) and key certificates are signed with these keys and available along with key metadata in an XML format.
-
Re:Current?
True, technology books ARE always out of date, but whilst it's a truism that things are always changing, it's also true that there's an linear relationship with the degree to which they stay the same. (I believe the French have a neat saying that encapsulates this notion.)
The MULTICS pentest paper and it's review 30 years later are cases in point. See also Thompson, K., "Reflections on Trusting Trust", a matter which Kaminsky, D., has recently demonstrated is as true today as it was then (in a context which is completely different, yet exactly the same.)
-
Re:Every MS Patch is Utmost Severe?"Can there truly be a flawless operating system?
Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
I think not, but if you could, you may become richer than Gates himself.Already been done, and a long time ago at that. The project basically went broke. See about secure Multics here.
[pdf warning, but its a great read] -
Re:Oh yeah, people didn't understand buffer overfl
I mean c'mon. That was in 1988; by computing standards that was prehistoric.
Not only is the security impact of buffer overflows known for much more than a decade, operating systems without them (and more resiliance to hostile code) excisted thirty years ago.
Unix was ahead of that curve by 5-10 years.
Maybe linux and the bsd`s did get more of a grip sooner than microsoft with propolice and stuff like that. Maybe unix vendors did their thing. But can you say that the buffer overflow problem has been fixed on either side? looking at the advisories I fear not. On the hostile code side microsoft has got much better cards with NT. It has the "acl`s everywhere" design. Think files,dcom,registry and shutdown like calls. They got that from VMS. This opposed to the minimalist (not "lacking" just minimal) unix security design. This is adressed with selinux like stuff... but has that stopped a lot of botnets recently?
-
As long as we lack nuance
- How about a boycot/ban from goverment contracts for people who sell software that still has buffer overflows in worldwide internet facing code?
- How about teaching kids how to write code without bufferoverflows, for as longs as we teach en C or C++? Sounds like a lesson that help more then teaching "cracking in the US and getting cought will get you killed"
- How about revoking the licence of teachers who fail to deliver the "buffer overflows cost lives" point
- How about naming and shaming people who ignore decades old research into computer security?
Shaking a few kids around wont change a thing for people who did learn from decades of computer security research and now use their experience to attack stuff while covering their tracks rather thant defacing or Ddosing sites... Ofcourse changing an industry doesn`t need legislation but objective reporting. Like say articles comparing the security design of windows against the security design of multics. Ofcourse that isn`t something publishers like the new york times can do anything about, they are bussy printing windows advertisements or articles that may as well be advertisements in the way the compare windows xp eye candy against windows 2000 eye candy to conclude microsoft is making major improvements.
-
Papers on similar work
I've previously published two papers on a very similar idea - using distributed social trust networks to make trust judgements, which is essentially what Outfoxed is. You can find the papers at:
The Solar Trust Model
Michael Clifford, Charles Lavine, Matt Bishop
http://www.acsac.org/1998/abstracts/fri-a-1030-cli fford.pdf
Networking in The Solar Trust Model: Determining Optimal Trust Paths in a Decentralized Trust Network
http://www.acsac.org/2002/papers/9.pdf -
Papers on similar work
I've previously published two papers on a very similar idea - using distributed social trust networks to make trust judgements, which is essentially what Outfoxed is. You can find the papers at:
The Solar Trust Model
Michael Clifford, Charles Lavine, Matt Bishop
http://www.acsac.org/1998/abstracts/fri-a-1030-cli fford.pdf
Networking in The Solar Trust Model: Determining Optimal Trust Paths in a Decentralized Trust Network
http://www.acsac.org/2002/papers/9.pdf -
Re:Looks like...
Are you saying this has been done? Multics had better buffer overflow protection
40 F#%îng years ago! thats right, *before unix existed*, four decades ago, thats before gates had pubic hair! (Okey, I didn`t fact check that one, but this is a long time, and I am not just talking in Internet or doggy years.)
So, where are the lines before compusa to buy one of these computers that may not have the most megahurts and marchitecture, but that doesn`t get new viruses/spyware/script kiddy zombie code every week while mailing personal files to random strangers?
I will tell you where these people are, they are right around the corner at the newsstand waiting for the latest issue of "screenshots, colors, windows and screensavers monthly". While there are billion dollar (memory) price fixing and (os) monopoly scams going on the trade media wonders what the color of Microsoft's next operating system is and where to get the newest megahurts this month....
The reason multics was secure, the people designing it figured security would make a nice feature so the designed it in by default... Ofcourse others tried that but once you add a huge piece of shell/browser/e-mail client/media player, mix in a bunch of rpc accesible administrative tools and have all this code monkey C code run with administrative privileges.... then you are gonna need systems to tell you when your remaining security is gone. (virus signature addiction systems, packet filters and intrusion detection systems).
The babysteps taken in todays "security addons" that descent from the tools dos admins used to clean out the few know viruses are pathetic. The worst part, the people making money of it. These people are evil even by atheist standards (keeping people addicted to virus signatures while selling telephone tapping equipment by comverse/the mossad, while playing "trusted" third party by selling expensive cert`s (Want a microsoft.com one? here go right ahead).... while screwing everyones DNS over just for a few quick bucks. )
The people selling computer security are snakeoil/ducttape sales scumbags
(safe for non redneck work)If people had just read the US DoD stuff on computer security (multics, orange book) and used it as a starting point for a one step more secure OS we could just worry about how to make computer do new usefull stuff instead of fending of the spyware/worms/ddos and god knows what people who stay out of log files do. Anyway, one can always start from scratch
-
Ahem...
So... I did this with intrusion detection (masquerade detective actually) about a year and a half ago. Just FYI
...
http://www.acsac.org/2003/beststud.html -
Re:How then...
do the tests themselves work. Unfortunately, a lot of stuff in the computing world revolves around windows - so it could be a matter of adding criterium to the test based on what windows does or "is supposed to do."
It's one thing to say "Operating System A this this security feature while Operating System B does not", but it's a moot point when the way in which System B operates makes such a feature unnecessessary anyways, or if there's a better/different way of doing it that isn't written on a sheet of paper.
This is where understanding the Common Criteria and how it works is critical. So take your seats, boys and girls, for a little primer.
The Common Criteria is not a criteria, per se, but a catalog of potential ways to address threats. When one writes a security target, one begins by enumerating the environment in which the product works: the assumptions, the threats the product will address, the threats the environment will address, and the policy. One then creates objectives for both the product and the environment to address those threats. To implement each of the objectives, one selects components from the CC.
In a security target (ST), this is a statement of "This is what I do". A Protection Profile (PP) is a statement of "THis is what I want". One can build a target that is compliant with the PP, this is "You want this; here's how I give it to you".
But the key thing is that the target details the functionality the product claims. The evaluation process provides confidence that what is claimed is what is implemented.
Confidence, or in CC speak, assurance, comes in a variety of areas: how the design was documented and developed, what guidance is given users, how throughly the product was tested, whether configuration management was in place, etc. These assurance areas are arranged into a set of 7 EALs, where EAL1 is "I ran a test and it worked", and EAL7 is formally specified and verified with penetration testing, etc.
Well, that's a quick introduction. Hopefully, this helped.
Daniel
(Want to learn more about security? Attend the Applied Computer Security Applications Conference, (ACSAC). -
Re:Distributed Trust Models
That first link doesn't seem to have posted correctly. It's http://www.acsac.org/1998/abstracts/fri-a-1030-cl
i fford.pdf
No space in the word "clifford"
first paper
second paper -
Re:Distributed Trust Models
That first link doesn't seem to have posted correctly. It's http://www.acsac.org/1998/abstracts/fri-a-1030-cl
i fford.pdf
No space in the word "clifford"
first paper
second paper -
Re:Cat out of the bag!The papers may be posted, but you should still come and attend that session at the conference, for there you can get the full give and take.
[I'll also note the full program is up for the conference, so you can see what other papers, sessions, and tutorials we'll be having. The conference web page is www.acsac.org]
Daniel
-
Computer Security Conferences at the Alexis Park
I just thought I would let folks know there will be another computer security conference at the Alexis Park later this year, of a nature pretty different than Defcon. For those working in the industry, it would be well worth checking out.
The 18th Annual Computer Security Applications Conference will be held the week of December 9-13, 2002 at the Alexis Park. We're still in the process of finalizing the technical program, but I can tell you there will be two days of tutorials, followed by 2.5 days of technical programs. Tutorials will include Information System Security Basics, Understanding Biometric Technology, Denial Of Service Attacks-Background Diagnosis and Mitigation, XML Security, Cryptography and PKI Basics, Mobile and Wireless Security Issues, Risk Assessment, and Survivable Systems Analysis. Invited Speakers include Earl Boebert and Dan Geer.
(and you read it on Slashdot first!)
Look for Advance Program information to be going up on www.acsac.org around September 1. If you have questions before then, feel free to visit the site, and contact one of the members of the conference committee.
Daniel (Conference Chair, Tutorial Chair, ACSAC 18) -
Computer Security Conferences at the Alexis Park
I just thought I would let folks know there will be another computer security conference at the Alexis Park later this year, of a nature pretty different than Defcon. For those working in the industry, it would be well worth checking out.
The 18th Annual Computer Security Applications Conference will be held the week of December 9-13, 2002 at the Alexis Park. We're still in the process of finalizing the technical program, but I can tell you there will be two days of tutorials, followed by 2.5 days of technical programs. Tutorials will include Information System Security Basics, Understanding Biometric Technology, Denial Of Service Attacks-Background Diagnosis and Mitigation, XML Security, Cryptography and PKI Basics, Mobile and Wireless Security Issues, Risk Assessment, and Survivable Systems Analysis. Invited Speakers include Earl Boebert and Dan Geer.
(and you read it on Slashdot first!)
Look for Advance Program information to be going up on www.acsac.org around September 1. If you have questions before then, feel free to visit the site, and contact one of the members of the conference committee.
Daniel (Conference Chair, Tutorial Chair, ACSAC 18)