Accountability and FreedomReal-World SecurityCauses of Security ProblemsThe Access Control ModelAccess Control Mechanisms: The Gold StandardMaking Isolation WorkBad = UnaccountableFor Accountability To WorkAccountability vs. Access ControlThe Accountability EcosystemAccountable Internet AccessSlide 12Without R|G: TodayWith R|GMust Get Configuration RightWhy R|G?Configuring GreenR|G User Model DilemmaData TransferWhere Should Email/IM Run?R|G and Enterprise NetworksSummary1Accountability and FreedomButler LampsonMicrosoftOctober 27, 20052Real-World Security•It’s about risk, locks, and deterrence. Risk management: cost of security < expected lossPerfect security costs way too muchLocks good enough that bad guys break in rarelyBad guys get caught and punished enough to be deterred, so police / courts must be good enough.Can recover from damage at an acceptable cost. •Internet security similar, but little accountability–Can’t identify the bad guys, so can’t deter them3Causes of Security Problems•Exploitable bugs•Bad configuration–TCB: Everything that security depends onHardware, software, and configuration–Does formal policy say what I mean?•Can I understand it? Can I manage it?•Why least privilege doesn’t work–Too complicated, can’t manage itThe unavoidable price of reliability is simplicity—Hoar e4The Access Control ModelObject Resource Reference monitor Guard Do operationRequestPrincipalSource AuthorizationAudit logAuthenticationPolicy1. Isolation boundary2. Access control3. Policy1. Isolation Boundary: I am isolated if anything that goes wrong is my (program’s) fault2. Access Control for channel traffic3. Policy management5Access Control Mechanisms:The Gold Standard-Authenticate principals: Who made a requestMainly people, but also channels, servers, programs(encryption implements channels, so key is a principal)-Authorize access: Who is trusted with a resourceGroup principals or resources, to simplify management Can define by a property, e.g. “type-safe” or “safe for scripting”-Audit: Who did what when?•Lock = Authenticate + Authorize•Deter = Authenticate + AuditObject Resource Reference monitor Guard Do operationRequestPrincipalSource AuthorizationAudit logAuthenticationPolicy1. Isolation boundary2. Access control3. Policy6Making Isolation Work•Isolation is imperfect: Can’t get rid of bugs–TCB = 10-50 M lines of code–Customers want features more than correctness•Instead, don’t tickle them.•How? Reject bad inputs–Code: don’t run or restrict severely–Communication: reject or restrict severely•Especially web sites–Data: don’t send; don’t accept if complex7Bad = Unaccountable•Can’t identify bad guys, so can’t deter them•Fix? End nodes enforce accountability–Refuse inputs that aren’t accountable enough•or strongly isolate those inputs–Senders are accountable if you can punish them–All trust is local•Need an ecosystem for–Senders becoming accountable–Receivers demanding accountability–Third party intermediaries•To stop DDOS attacks, ISPs must play8For Accountability To Work•Senders must be able to make themselves accountable–This means pledging something of value•Friendship•Reputation•Money•…•Receivers must be able to check accountability–Specify what is accountable enough–Verify sender’s evidence of accountability9Accountability vs. Access Control•“In principle” there is no differencebut•Accountability is about punishment, not locks–Hence audit is critical•Accountability is very coarse-grained10The Accountability Ecosystem•Identity, reputation, and indirection services•Mechanisms to establish trust relationships–Person to person and person to organization•A flexible, simple user model for identity•Stronger user authentication–Smart card, cell phone, biometrics•Application identity: signing, reputation11Accountable Internet Access•Just enough to block DDoS attacks•Need ISPs to play. Why should they?–Servers demand it; clients don’t get locked out–Regulation?•A server asks its ISP to block some IP addresses•ISPs propagate such requests to peers or clients–Probably must be based on IP address–Perhaps some signing scheme to traverse unreliable intermediaries?•High priority packets can get through12•Partition world into two parts:–Green Safer/accountable –Red Less safe/unaccountable•Two aspects, mostly orthogonal–User Experience–Isolation mechanism•Separate hardware with air gap•VM•Process isolationAccountability vs. Freedom13Without R|G: TodayN attacks/yrLessvaluable assetsMorevaluable assetsMy Computerm attacks/yrTotal: N+m attacks/yr on all assets(N >> m)Less trustworthyLess accountableentitiesMore trustworthyMore accountableentitiesEntities- Programs- Network hosts- Administrators14With R|GLessvaluable assets My Red ComputerN attacks/yr on less valuable assetsMorevaluable assetsMorevaluable assetsMy Green Computerm attacks/yr on more valuable assetsN attacks/yrm attacks/yr(N >> m)Less trustworthyLess accountableentitiesMore trustworthyMore accountableentitiesEntities- Programs- Network hosts- Administrators15Must Get Configuration RightLessvaluable assets My Red ComputerMorevaluable assetsMorevaluable assetsMy Green ComputerValuableAssetLess trustworthyLess accountableentitiesMore trustworthyMore accountableentitiesHostileagent•Keep valuable stuff out of red•Keep hostile agents out of green16Why R|G?•Problems: –Any OS will always be exploitable•The richer the OS, the more bugs–Need internet access to get work done, have fun•The internet is full of bad guys•Solution: Isolated work environments:–Green: important assets, only talk to good guys•Don’t tickle the bugs, by restricting inputs–Red: less important assets, talk to anybody•Blow away broken systems•Good guys: more trustworthy / accountable–Bad guys: less trustworthy or less accountable17Configuring Green•Green = locked down = only whitelist inputs•Requires professional management–Few users can make these decisions–Avoid “click OK to proceed”•To escape, use Red–Today almost all machines are Red18R|G User Model Dilemma•People don’t want complete isolation–They want to:•Cut/paste, drag/drop•Share parts of the file system•Share the screen•Administer one machine, not multiple•…•But more integration can weaken isolation–Add bugs–Compromise
View Full Document