6.826—Principles of Computer Systems 2002 Handout 31. Computer Security in the Real World 1 Computer Security in the Real World Butler W. Lampson1 Microsoft 1 [email protected], research.microsoft.com/lampson Abstract After thirty years of work on computer security, why are almost all the systems in service today extremely vul-nerable to attack? The main reason is that security is ex-pensive to set up and a nuisance to run, so people judge from experience how little of it they can get away with. Since there’s been little damage, people decide that they don’t need much security. In addition, setting it up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security. In a distributed system with no central management like the Internet, security requires a clear story about who is trusted for each step in establishing it, and why. The basic tool for telling this story is the “speaks for” relation between principals that describes how authority is dele-gated, that is, who trusts whom. The idea is simple, and it explains what’s going on in any system I know. The many different ways of encoding this relation often make it hard to see the underlying order. 1 Introduction People have been working on computer system secu-rity for at least 30 years. During this time there have been many intellectual successes. Notable among them are the subject/object access matrix model [11], access control lists [17], multilevel security using information flow [6, 13] and the star-property [3], public key cryptography [14], and cryptographic protocols [1]. In spite of these successes, it seems fair to say that in an absolute sense, the security of the hundreds of millions of deployed com-puter systems is terrible: a determined and competent attacker could destroy most of the information on almost any of these systems, or steal it from any system that is connected to a network. Even worse, the attacker could do this to millions of systems at once. On the other hand, not much harm is actually being done by attacks on these insecure systems. Once or twice a year an email virus such as “I love you” infects a mil-lion or two machines, and newspapers print extravagant estimates of the damage it does, but these are minor an-noyances. There is no accurate data about the cost of fail-ures in computer security. On the one hand, most of them are never made public for fear of embarrassment. On the other, when a public incident does occur, the security ex-perts and vendors of antivirus software that talk to the media have every incentive to greatly exaggerate its costs. But money talks. Many vendors of security have learned to their regret that although people complain about inade-quate security, they won’t spend much money, sacrifice many features, or put up with much inconvenience in or-der to improve it. This strongly suggests that bad security is not really costing them much. Of course, computer security is not just about com-puter systems. Like any security, it is only as strong as its weakest link, and the links include the people and the physical security of the system. Very often the easiest way to break into a system is to bribe an insider. This short paper, however, is limited to computer systems. What do we want from secure computer systems? Here is a reasonable goal: Computers are as secure as real world systems, and people believe it. Most real world systems are not very secure by the ab-solute standard suggested above. It’s easy to break into someone’s house. In fact, in many places people don’t even bother to lock their houses, although in Manhattan they may use two or three locks on the front door. It’s fairly easy to steal something from a store. You need very little technology to forge a credit card, and it’s quite safe to use a forged card at least a few times. Why do people live with such poor security in real world systems? The reason is that security is not about perfect defenses against determined attackers. Instead, it’s about value, locks, and punishment. The bad guy balances the value of what he gains against the risk of punishment, which is the cost of punishment times the probability of getting punished. The main thing6.826—Principles of Computer Systems 2002 Handout 31. Computer Security in the Real World 2 that makes real world systems sufficiently secure is that bad guys who do break in are caught and punished often enough to make a life of crime unattractive. The purpose of locks is not to provide absolute security, but to prevent casual intrusion by raising the threshold for a break-in. Well, what’s wrong with perfect defenses? The answer is simple: they cost too much. There is a good way to pro-tect personal belongings against determined attackers: put them in a safe deposit box. After 100 years of experience, banks have learned how to use steel and concrete, time locks, alarms, and multiple keys to make these boxes quite secure. But they are both expensive and inconven-ient. As a result, people use them only for things that are seldom needed and either expensive or hard to replace. Practical security balances the cost of protection and the risk of loss, which is the cost of recovering from a loss times its probability. Usually the probability is fairly small (because the risk of punishment is high enough), and therefore the risk of loss is also small. When the risk is less than the cost of recovering, it’s better to accept it as a cost of doing business (or a cost of daily living) than to pay for better security. People and credit card companies make these decisions every day. With computers, on the other hand, security is only a matter of software, which is cheap to manufacture, never wears out, and can’t be attacked with drills or explosives. This makes it easy to drift into thinking that computer security can be perfect, or nearly so. The fact that work on computer security has been dominated by the needs of national security has made this problem worse. In this context the stakes are much higher and there are no police or courts available to punish attackers, so it’s more impor-tant not to make mistakes. Furthermore, computer secu-rity has been regarded as an offshoot of communication security, which is based on cryptography. Since cryptog-raphy can be nearly perfect, it’s natural to think that com-puter security can