dad-usenix-2004.ppt 644KB Jun 23 2011 12:11:22 PM
TBA
Emergency Holographic Speaker
72 slides
My Dad’s Computer, Microsoft,
and the Future of Internet
Security
Bill Cheswick
ches@lumeta.com
http://www.lumeta.com
72 slides
My Dad’s computer
Skinny-dipping with Microsoft
72 slides
My Dad's
Compute
4 of 72
Case study:
My Dad’s computer
• Windows XP, plenty of horsepower, two
screens
• Applications:
– Email (Outlook)
– “Bridge:” a fancy stock market monitoring
system
– AIM
My Dad's
Compute
5 of 72
Case study:
My Dad’s computer
• Cable access
• dynamic IP address
• no NAT
• no firewall
• outdated virus software
• no spyware checker
My Dad's
Compute
6 of 72
This computer was a software
toxic waste dump
• It was burning a liter of oil every 500 km
• The popups seemed darned distracting to
me
My Dad's
Compute
7 of 72
My Dad’s computer: what the repair
geek found
• Everything
• “Viruses I’ve never heard off”
– Not surprising: there are 200 new ones
each day
• Constant popups
• Frequent blasts of multiple web pages,
mostly obscene
My Dad's
Compute
8 of 72
Dad’s computer: how did he get in
this mess?
• He doesn’t know what the popup security
messages mean
• Email-borne viruses
• Unsecured network services
• Executable code in web pages from
unworthy sites
My Dad's
Compute
9 of 72
He is getting his work done
• Dad: “why do I care? I am getting my work
done”
• Didn’t want a system administrator to mess
up his user interface settings
• Truly destructive attacks are rare
– They aren’t lucrative or much fun
– They are self-limiting
My Dad's
Compute
10 of 72
Recently
• An alien G-rated screen saver for an X-rated
site appeared
• Changing the screen saver worked!
• The screen saver software removed in the
correct way!
• Still, this should never have happened
My Dad's
Compute
11 of 72
Skinny Dipping on
the Internet
72 slides
I’ve been skinny dipping on the
Internet for years
• FreeBSD and Linux hosts
• Very few, very hardened network services
• Single-user hosts
• Dangerous services placed in sandboxes
• No known break-ins
• No angst
My Dad's
Compute
13 of 72
“Best block is not be there”
-Mr. Kesuke Miyagi (Pat Morita),
Karate Kid (1984)
72 slides
Angst and the Morris Worm
• Did the worm get past my firewall?
• No. Why?
– Partly smart design
– Partly luck…removing fingerd
• Peace of mind comes from staying out of the
battle altogether
My Dad's
Compute
15 of 72
“You’ve got to get
out of the game”
-Fred Grampp
72 slides
Can my Dad (and
millions like him)
get out of the
game?
72 slides
Arms Race Games
72 slides
Virus arms race
• Early on, detectors used viral signatures
• Virus encryption and recompilation (!) has
thwarted this
• Virus detectors now simulate the code,
looking for signature actions
• Virus writers now detect emulation and
behave differently
• Virus emulators are slowing down, even with
Moore’s Law.
My Dad's
Compute
19 of 72
Virus arms race
• I suspect that virus writers are going to win the
detection battle, if they haven’t already
– Emulation may become too slow
– Even though we have the home-field advantage
– Will we know if an undetectable virus is released?
• Best defense is to get out of the game.
– Don’t run portable programs, or
– Improve our sandbox technology
• People who really care about this worry about Ken
Thompson’s attack
– Read and understand “On Trusting Trust”
My Dad's
Compute
20 of 72
Getting out of the virus game
• Don’t execute roving programs of unknown
provenance
• Trusted Computing can fix the problem, in
theory
My Dad's
Compute
21 of 72
Password sniffing and cracking
arms race
• Ethernet has always been sniffable
• WiFi is the new Ethernet
My Dad's
Compute
22 of 72
Password sniffing and cracking
arms race
• Password cracking works 3% to 60% of the
time using offline dictionary attacks
– More, if the hashing is misdesigned (c.f.
Microsoft)
• This will never get better, so…
• We have to get out of the game
My Dad's
Compute
23 of 72
Password sniffing and cracking
arms race
• This battle is mostly won, thanks to SSL,
IP/SEC, and VPNs.
• There are many successful businesses
using these techniques nicely.
• Current clear text services:
– SNMP
– POP3
– AIM
My Dad's
Compute
24 of 72
Password sniffing is not a problem
for Dad
• SSL fixes most of it
• AIM is interceptible
– Fixable…will it be?
My Dad's
Compute
25 of 72
Authentication/Identification Arms
races
• Password/PIN selection vs. cracking
• Human-chosen passwords and PINs can be
ok if guessing is limited, and obvious
choices are suppressed
• Password cracking is getting better, thanks
to Moore’s Law and perhaps even botnets
My Dad's
Compute
26 of 72
We don’t know how to leave the user in charge of
security decisions, safely.
My Dad's
Compute
27 of 72
Authentication solutions:
two factor authentication
• In my laptop: ssh key unlocked by long
passphrase
• Better: USB “key” unlocked by PIN. Five
bad PINS, and it is gone.
– We already carry a bunch of keys, so why
not one more
My Dad's
Compute
28 of 72
Hardware tokens
• These need to be open
source drivable, and
cheap
• The business model
has never been one
for global adoption
• Challenge/response
form factor is the
safest, but not
acceptable if humans
are in the loop
My Dad's
Compute
29 of 72
Two factor authentication doesn’t
fix all woes
• The taking of slocum
• The tough part is the client security
My Dad's
Compute
30 of 72
TBA
Emergency Holographic Speaker
72 slides
User education vs. user deception
• We will continue losing this one
• Even experts sometimes don’t understand
the ramifications of choices they are offered
My Dad's
Compute
32 of 72
Authentication arms race:
predictions
• USA needs two factor authentication for
social security number. (Something better
than MMN or birth date.)
• I don’t see this improving much, but a global
USB dongle would do it
• Don’t wait for world-wide PKI.
My Dad's
Compute
33 of 72
Arms race (sort of)
hardware destruction
• IBM monochrome monitor
• Some more recent monitors
– Current ones?
• Hard drives? Beat the heads up?
• EEPROM write limits
– Viral attack on .cn and .kr PC motherboards
– Other equipment
• Anything that requires a hardware on-site
service call
My Dad's
Compute
34 of 72
Arms race (sort of)
hardware destruction
• Rendering the firmware useless
– This can be fixed (mostly) with a secure
trusted computing base.
My Dad's
Compute
35 of 72
Software upgrade race: literally a
race
• Patches are analyzed to determine the
weakness
• Patch-to-exploit time is now down below 10
hours
– NB: spammers have incentive to do this
work
• Now the good guys are trying to obfuscate
code!
• Future difficult to say: dark side obscures
everything.
My Dad's
Compute
36 of 72
Arms Races:
firewalls
• IP blocking
• Ip aware (stateful)
– More dangerous
– Permits firewalking
• Ultimately, firewalls are a hack, and should
go away
My Dad's
Compute
37 of 72
Arms Races: deception
• Jails
– Cliff Stoll and SDInet
• Honeypots
– Honeynet
– honeyd
• The deception toolkit---Fred Cohen
My Dad's
Compute
38 of 72
Microsoft client
security
It has been getting worse: can they
skinny-dip safely?
72 slides
Windows ME
Active Connections - Win ME
Proto
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
127.0.0.1:1032
223.223.223.10:139
0.0.0.0:1025
0.0.0.0:1026
0.0.0.0:31337
0.0.0.0:162
223.223.223.10:137
223.223.223.10:138
Foreign Address
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
My Dad's
Compute
State
LISTENING
LISTENING
40 of 72
Windows 2000
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
0.0.0.0:135
0.0.0.0:445
0.0.0.0:1029
0.0.0.0:1036
0.0.0.0:1078
0.0.0.0:1080
0.0.0.0:1086
0.0.0.0:6515
127.0.0.1:139
0.0.0.0:445
0.0.0.0:1038
0.0.0.0:6514
0.0.0.0:6515
127.0.0.1:1108
223.223.223.96:500
223.223.223.96:4500
Foreign Address
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
My Dad's
Compute
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
41 of 72
Windows XP: this laptop, pre-SP2
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
ches-pc:epmap
ches-pc:microsoft-ds
ches-pc:1025
ches-pc:1036
ches-pc:3115
ches-pc:3118
ches-pc:3470
ches-pc:3477
ches-pc:5000
ches-pc:6515
ches-pc:netbios-ssn
ches-pc:3001
ches-pc:3002
ches-pc:3003
ches-pc:5180
ches-pc:microsoft-ds
ches-pc:isakmp
ches-pc:1027
ches-pc:3008
ches-pc:3473
ches-pc:6514
ches-pc:6515
ches-pc:netbios-ns
ches-pc:netbios-dgm
ches-pc:1900
ches-pc:ntp
ches-pc:1900
ches-pc:3471
Foreign Address
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
My Dad's
Compute
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
42 of 72
FreeBSD partition, this laptop
(getting out of the game)
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
tcp4
0
0 *.22
tcp6
0
0 *.22
My Dad's
Compute
43 of 72
It is easy to dump on Microsoft,
but many others have made the
same mistakes before
72 slides
Default services
SGI workstation
ftp
stream tcp
telnet stream tcp
shell
stream tcp
login
stream tcp
exec
stream tcp
finger stream tcp
bootp
dgram
udp
tftp
dgram
udp
ntalk
dgram
udp
tcpmux stream tcp
echo
stream tcp
discard stream tcp
chargen stream tcp
daytime stream tcp
time
stream tcp
echo
dgram
udp
discard dgram
udp
chargen dgram
udp
daytime dgram
udp
time
dgram
udp
sgi-dgl stream tcp
uucp
stream tcp
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
wait
wait
nowait
nowait
My Dad's
Compute
root
/v/gate/ftpd
root
/usr/etc/telnetd
root
/usr/etc/rshd
root
/usr/etc/rlogind
root
/usr/etc/rexecd
guest
/usr/etc/fingerd
root
/usr/etc/bootp
guest
/usr/etc/tftpd
root
/usr/etc/talkd
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root/rcv dgld
root
/usr/lib/uucp/uucpd
45 of 72
More default services
mountd/1
stream rpc/tcp wait/lc
mountd/1
dgram
rpc/udp wait/lc
sgi_mountd/1 stream rpc/tcp wait/lc
sgi_mountd/1 dgram rpc/udp wait/lc
rstatd/1-3 dgram
rpc/udp wait
walld/1
dgram
rpc/udp wait
rusersd/1
dgram
rpc/udp wait
rquotad/1
dgram
rpc/udp wait
sprayd/1
dgram
rpc/udp wait
bootparam/1 dgram
rpc/udp wait
sgi_videod/1 stream rpc/tcp wait
sgi_fam/1
stream rpc/tcp wait
sgi_snoopd/1 stream rpc/tcp wait
sgi_pcsd/1 dgram
rpc/udp wait
sgi_pod/1
stream rpc/tcp wait
tcpmux/sgi_scanner stream tcp nowait
tcpmux/sgi_printer stream tcp nowait
9fs
stream tcp
nowait
webproxy
stream tcp
nowait
My Dad's
Compute
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
rpc.mountd
rpc.mountd
rpc.mountd
rpc.mountd
rpc.rstatd
rpc.rwalld
rpc.rusersd
rpc.rquotad
rpc.sprayd
rpc.bootparamd
?videod
?fam
?rpc.snoopd
?cvpcsd
?podd
?scan/net/scannerd
?print/printerd
/v/bin/u9fs u9fs
/usr/local/etc/webserv
46 of 72
Firewalls and
intranets try to get
us out of the
network services
vulnerability game
72 slides
What my dad, and many
(most?) computer users
really need
72 slides
Most of my Dad’s problems are
caused by weaknesses in
features he never uses or needs.
72 slides
A proposal:
Windows OK
72 slides
Windows OK
• Thin client implemented with Windows
• It would be fine for maybe half the Windows
users
– Students, consumers, many corporate
and government users
• It would be reasonable to skinny dip with
this client
– Without firewall or virus checking
software
My Dad's
Compute
51 of 72
Windows OK
• No network listeners
– None of those services are needed, except
admin access for centrally-administered
hosts
• Default security settings
• All security controls in one or two places
• Security settings can be locked
My Dad's
Compute
52 of 72
Windows OK (cont)
• There should be nothing you can click on, in
email or a web page, that can hurt your
computer
– No portable programs are executed ever,
except…
• ActiveX from approved parties
– MSFT and one or two others. List is
lockable
My Dad's
Compute
53 of 72
Windows OK
• Reduce privileges in servers and all
programs
• Sandbox programs
– Belt and suspenders
My Dad's
Compute
54 of 72
Office OK
• No macros in Word or PowerPoint. No
executable code in PowerPoint files
• The only macros allowed in Excel perform
arithmetic. They cannot create files, etc.
My Dad's
Compute
55 of 72
Vulnerabilities in OK
• Buffer overflows in processing of data (not
from the network)
• Stop adding new features and focus on bug
fixes
• Programmers can clean up bugs, if they
don’t have a moving target
– It converges, to some extent
My Dad's
Compute
56 of 72
XP SP2
Bill Gets It
72 slides
Microsoft’s Augean Stables:
a task for Hercules
• 3000 oxen, 30 years, that’s roughly one
oxen-day per line of code in Windows
• It’s been getting worse since Windows 95
My Dad's
Compute
58 of 72
XP SP2: Bill gets it
• “a feature you don’t use should not be a security
problem for you.”
• “Security by design”
– Too late for that, its all retrofitting now
• “Security by default”
– No network services on by default
• Security control panel
– Many things missing from it
– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
My Dad's
Compute
59 of 72
Microsoft really means it about
improving their security
• Their security commitment appears to be
real
• It is a huge job
• Opposing forces are unclear to me
• It’s been a long time coming, and frustrating
My Dad's
Compute
60 of 72
Microsoft secure client arms race
• We are likely to win, but it is going to be a
while
My Dad's
Compute
61 of 72
Windows XP SP2
• Candidate 2 release is available
• Read the EULA…it is interesting and a bit
different
My Dad's
Compute
62 of 72
My Dad's
Compute
63 of 72
My Dad's
Compute
64 of 72
SP2 is just a start: more work is
needed
• Security panel and ActiveX permissions
– Also, list of trusted signers needed
• Still too many network services
– They may not be reachable from outside
the box
• Clicking may still be dangerous
My Dad's
Compute
65 of 72
SP2 isn’t going to be easy to
deploy
• Many people rely on unsafe configurations,
even if they don’t realize it
• Future SPs won’t be easy either, especially if
they follow my advice
• It is a good sign that these installations are
hard
– Visiting the dentist after 20 years of
neglect
My Dad's
Compute
66 of 72
Other Solutions for
my Dad, and others
72 slides
Lindows/OpenOffice
• Tastes almost, but not quite, unlike tea.
My Dad's
Compute
68 of 72
Dad, buy a Mac
72 slides
Build an OS from scratch
• Not as hard as you might think
• “I couldn’t sleep this weekend, so I rewrote
the TCP/IP stack”
• Plan 9
• Various other research operating systems
• Has to keep up with current WinTel hardware
– Centrino is a step backward for me
My Dad's
Compute
70 of 72
Build an OS from scratch
• Start from scratch, with audibility as the
principal goal
• The goal might be to run IE with
demonstrable safety
My Dad's
Compute
71 of 72
Software scales
• Linus can write a kernel
• Don Knuth can write a kernel
• Profit is not necessarily an obstacle to
engineering the software we need
• LinuxSE
My Dad's
Compute
72 of 72
Summary: we ought to win these
battles
• We control the playing field
• DOS is the worse they can do, in theory
• We can replicate our successes
• We can converge on a secure-enough
environment
My Dad's
Compute
73 of 72
Conclusions:
• My Dad’s model (the 3270 terminal) is not the
only model for Internet security
– Supercomputer centers have a different
user and security models
• Multi-user environments are hard
– There is a lot of assembly required
My Dad's
Compute
74 of 72
Conclusions
• We will lose the virus detection game
• We will win the virus prevention game
• We have mostly won the sniffing battle
• Internet security is already good enough for
many consumer applications
• A fully-hosed computer may still seem to be
ok to the user
– This is one of Milton Friedman’s “third
party effect,” which he says is a valid
target of government regulation
My Dad's
Compute
75 of 72
My Dad’s Computer, Microsoft,
and the Future of Internet
Security
Bill Cheswick
ches@lumeta.com
http://www.lumeta.com
72 slides
Emergency Holographic Speaker
72 slides
My Dad’s Computer, Microsoft,
and the Future of Internet
Security
Bill Cheswick
ches@lumeta.com
http://www.lumeta.com
72 slides
My Dad’s computer
Skinny-dipping with Microsoft
72 slides
My Dad's
Compute
4 of 72
Case study:
My Dad’s computer
• Windows XP, plenty of horsepower, two
screens
• Applications:
– Email (Outlook)
– “Bridge:” a fancy stock market monitoring
system
– AIM
My Dad's
Compute
5 of 72
Case study:
My Dad’s computer
• Cable access
• dynamic IP address
• no NAT
• no firewall
• outdated virus software
• no spyware checker
My Dad's
Compute
6 of 72
This computer was a software
toxic waste dump
• It was burning a liter of oil every 500 km
• The popups seemed darned distracting to
me
My Dad's
Compute
7 of 72
My Dad’s computer: what the repair
geek found
• Everything
• “Viruses I’ve never heard off”
– Not surprising: there are 200 new ones
each day
• Constant popups
• Frequent blasts of multiple web pages,
mostly obscene
My Dad's
Compute
8 of 72
Dad’s computer: how did he get in
this mess?
• He doesn’t know what the popup security
messages mean
• Email-borne viruses
• Unsecured network services
• Executable code in web pages from
unworthy sites
My Dad's
Compute
9 of 72
He is getting his work done
• Dad: “why do I care? I am getting my work
done”
• Didn’t want a system administrator to mess
up his user interface settings
• Truly destructive attacks are rare
– They aren’t lucrative or much fun
– They are self-limiting
My Dad's
Compute
10 of 72
Recently
• An alien G-rated screen saver for an X-rated
site appeared
• Changing the screen saver worked!
• The screen saver software removed in the
correct way!
• Still, this should never have happened
My Dad's
Compute
11 of 72
Skinny Dipping on
the Internet
72 slides
I’ve been skinny dipping on the
Internet for years
• FreeBSD and Linux hosts
• Very few, very hardened network services
• Single-user hosts
• Dangerous services placed in sandboxes
• No known break-ins
• No angst
My Dad's
Compute
13 of 72
“Best block is not be there”
-Mr. Kesuke Miyagi (Pat Morita),
Karate Kid (1984)
72 slides
Angst and the Morris Worm
• Did the worm get past my firewall?
• No. Why?
– Partly smart design
– Partly luck…removing fingerd
• Peace of mind comes from staying out of the
battle altogether
My Dad's
Compute
15 of 72
“You’ve got to get
out of the game”
-Fred Grampp
72 slides
Can my Dad (and
millions like him)
get out of the
game?
72 slides
Arms Race Games
72 slides
Virus arms race
• Early on, detectors used viral signatures
• Virus encryption and recompilation (!) has
thwarted this
• Virus detectors now simulate the code,
looking for signature actions
• Virus writers now detect emulation and
behave differently
• Virus emulators are slowing down, even with
Moore’s Law.
My Dad's
Compute
19 of 72
Virus arms race
• I suspect that virus writers are going to win the
detection battle, if they haven’t already
– Emulation may become too slow
– Even though we have the home-field advantage
– Will we know if an undetectable virus is released?
• Best defense is to get out of the game.
– Don’t run portable programs, or
– Improve our sandbox technology
• People who really care about this worry about Ken
Thompson’s attack
– Read and understand “On Trusting Trust”
My Dad's
Compute
20 of 72
Getting out of the virus game
• Don’t execute roving programs of unknown
provenance
• Trusted Computing can fix the problem, in
theory
My Dad's
Compute
21 of 72
Password sniffing and cracking
arms race
• Ethernet has always been sniffable
• WiFi is the new Ethernet
My Dad's
Compute
22 of 72
Password sniffing and cracking
arms race
• Password cracking works 3% to 60% of the
time using offline dictionary attacks
– More, if the hashing is misdesigned (c.f.
Microsoft)
• This will never get better, so…
• We have to get out of the game
My Dad's
Compute
23 of 72
Password sniffing and cracking
arms race
• This battle is mostly won, thanks to SSL,
IP/SEC, and VPNs.
• There are many successful businesses
using these techniques nicely.
• Current clear text services:
– SNMP
– POP3
– AIM
My Dad's
Compute
24 of 72
Password sniffing is not a problem
for Dad
• SSL fixes most of it
• AIM is interceptible
– Fixable…will it be?
My Dad's
Compute
25 of 72
Authentication/Identification Arms
races
• Password/PIN selection vs. cracking
• Human-chosen passwords and PINs can be
ok if guessing is limited, and obvious
choices are suppressed
• Password cracking is getting better, thanks
to Moore’s Law and perhaps even botnets
My Dad's
Compute
26 of 72
We don’t know how to leave the user in charge of
security decisions, safely.
My Dad's
Compute
27 of 72
Authentication solutions:
two factor authentication
• In my laptop: ssh key unlocked by long
passphrase
• Better: USB “key” unlocked by PIN. Five
bad PINS, and it is gone.
– We already carry a bunch of keys, so why
not one more
My Dad's
Compute
28 of 72
Hardware tokens
• These need to be open
source drivable, and
cheap
• The business model
has never been one
for global adoption
• Challenge/response
form factor is the
safest, but not
acceptable if humans
are in the loop
My Dad's
Compute
29 of 72
Two factor authentication doesn’t
fix all woes
• The taking of slocum
• The tough part is the client security
My Dad's
Compute
30 of 72
TBA
Emergency Holographic Speaker
72 slides
User education vs. user deception
• We will continue losing this one
• Even experts sometimes don’t understand
the ramifications of choices they are offered
My Dad's
Compute
32 of 72
Authentication arms race:
predictions
• USA needs two factor authentication for
social security number. (Something better
than MMN or birth date.)
• I don’t see this improving much, but a global
USB dongle would do it
• Don’t wait for world-wide PKI.
My Dad's
Compute
33 of 72
Arms race (sort of)
hardware destruction
• IBM monochrome monitor
• Some more recent monitors
– Current ones?
• Hard drives? Beat the heads up?
• EEPROM write limits
– Viral attack on .cn and .kr PC motherboards
– Other equipment
• Anything that requires a hardware on-site
service call
My Dad's
Compute
34 of 72
Arms race (sort of)
hardware destruction
• Rendering the firmware useless
– This can be fixed (mostly) with a secure
trusted computing base.
My Dad's
Compute
35 of 72
Software upgrade race: literally a
race
• Patches are analyzed to determine the
weakness
• Patch-to-exploit time is now down below 10
hours
– NB: spammers have incentive to do this
work
• Now the good guys are trying to obfuscate
code!
• Future difficult to say: dark side obscures
everything.
My Dad's
Compute
36 of 72
Arms Races:
firewalls
• IP blocking
• Ip aware (stateful)
– More dangerous
– Permits firewalking
• Ultimately, firewalls are a hack, and should
go away
My Dad's
Compute
37 of 72
Arms Races: deception
• Jails
– Cliff Stoll and SDInet
• Honeypots
– Honeynet
– honeyd
• The deception toolkit---Fred Cohen
My Dad's
Compute
38 of 72
Microsoft client
security
It has been getting worse: can they
skinny-dip safely?
72 slides
Windows ME
Active Connections - Win ME
Proto
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
127.0.0.1:1032
223.223.223.10:139
0.0.0.0:1025
0.0.0.0:1026
0.0.0.0:31337
0.0.0.0:162
223.223.223.10:137
223.223.223.10:138
Foreign Address
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
My Dad's
Compute
State
LISTENING
LISTENING
40 of 72
Windows 2000
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
0.0.0.0:135
0.0.0.0:445
0.0.0.0:1029
0.0.0.0:1036
0.0.0.0:1078
0.0.0.0:1080
0.0.0.0:1086
0.0.0.0:6515
127.0.0.1:139
0.0.0.0:445
0.0.0.0:1038
0.0.0.0:6514
0.0.0.0:6515
127.0.0.1:1108
223.223.223.96:500
223.223.223.96:4500
Foreign Address
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
My Dad's
Compute
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
41 of 72
Windows XP: this laptop, pre-SP2
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address
ches-pc:epmap
ches-pc:microsoft-ds
ches-pc:1025
ches-pc:1036
ches-pc:3115
ches-pc:3118
ches-pc:3470
ches-pc:3477
ches-pc:5000
ches-pc:6515
ches-pc:netbios-ssn
ches-pc:3001
ches-pc:3002
ches-pc:3003
ches-pc:5180
ches-pc:microsoft-ds
ches-pc:isakmp
ches-pc:1027
ches-pc:3008
ches-pc:3473
ches-pc:6514
ches-pc:6515
ches-pc:netbios-ns
ches-pc:netbios-dgm
ches-pc:1900
ches-pc:ntp
ches-pc:1900
ches-pc:3471
Foreign Address
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
ches-pc:0
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
My Dad's
Compute
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
42 of 72
FreeBSD partition, this laptop
(getting out of the game)
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
tcp4
0
0 *.22
tcp6
0
0 *.22
My Dad's
Compute
43 of 72
It is easy to dump on Microsoft,
but many others have made the
same mistakes before
72 slides
Default services
SGI workstation
ftp
stream tcp
telnet stream tcp
shell
stream tcp
login
stream tcp
exec
stream tcp
finger stream tcp
bootp
dgram
udp
tftp
dgram
udp
ntalk
dgram
udp
tcpmux stream tcp
echo
stream tcp
discard stream tcp
chargen stream tcp
daytime stream tcp
time
stream tcp
echo
dgram
udp
discard dgram
udp
chargen dgram
udp
daytime dgram
udp
time
dgram
udp
sgi-dgl stream tcp
uucp
stream tcp
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
wait
wait
nowait
nowait
My Dad's
Compute
root
/v/gate/ftpd
root
/usr/etc/telnetd
root
/usr/etc/rshd
root
/usr/etc/rlogind
root
/usr/etc/rexecd
guest
/usr/etc/fingerd
root
/usr/etc/bootp
guest
/usr/etc/tftpd
root
/usr/etc/talkd
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root
internal
root/rcv dgld
root
/usr/lib/uucp/uucpd
45 of 72
More default services
mountd/1
stream rpc/tcp wait/lc
mountd/1
dgram
rpc/udp wait/lc
sgi_mountd/1 stream rpc/tcp wait/lc
sgi_mountd/1 dgram rpc/udp wait/lc
rstatd/1-3 dgram
rpc/udp wait
walld/1
dgram
rpc/udp wait
rusersd/1
dgram
rpc/udp wait
rquotad/1
dgram
rpc/udp wait
sprayd/1
dgram
rpc/udp wait
bootparam/1 dgram
rpc/udp wait
sgi_videod/1 stream rpc/tcp wait
sgi_fam/1
stream rpc/tcp wait
sgi_snoopd/1 stream rpc/tcp wait
sgi_pcsd/1 dgram
rpc/udp wait
sgi_pod/1
stream rpc/tcp wait
tcpmux/sgi_scanner stream tcp nowait
tcpmux/sgi_printer stream tcp nowait
9fs
stream tcp
nowait
webproxy
stream tcp
nowait
My Dad's
Compute
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
rpc.mountd
rpc.mountd
rpc.mountd
rpc.mountd
rpc.rstatd
rpc.rwalld
rpc.rusersd
rpc.rquotad
rpc.sprayd
rpc.bootparamd
?videod
?fam
?rpc.snoopd
?cvpcsd
?podd
?scan/net/scannerd
?print/printerd
/v/bin/u9fs u9fs
/usr/local/etc/webserv
46 of 72
Firewalls and
intranets try to get
us out of the
network services
vulnerability game
72 slides
What my dad, and many
(most?) computer users
really need
72 slides
Most of my Dad’s problems are
caused by weaknesses in
features he never uses or needs.
72 slides
A proposal:
Windows OK
72 slides
Windows OK
• Thin client implemented with Windows
• It would be fine for maybe half the Windows
users
– Students, consumers, many corporate
and government users
• It would be reasonable to skinny dip with
this client
– Without firewall or virus checking
software
My Dad's
Compute
51 of 72
Windows OK
• No network listeners
– None of those services are needed, except
admin access for centrally-administered
hosts
• Default security settings
• All security controls in one or two places
• Security settings can be locked
My Dad's
Compute
52 of 72
Windows OK (cont)
• There should be nothing you can click on, in
email or a web page, that can hurt your
computer
– No portable programs are executed ever,
except…
• ActiveX from approved parties
– MSFT and one or two others. List is
lockable
My Dad's
Compute
53 of 72
Windows OK
• Reduce privileges in servers and all
programs
• Sandbox programs
– Belt and suspenders
My Dad's
Compute
54 of 72
Office OK
• No macros in Word or PowerPoint. No
executable code in PowerPoint files
• The only macros allowed in Excel perform
arithmetic. They cannot create files, etc.
My Dad's
Compute
55 of 72
Vulnerabilities in OK
• Buffer overflows in processing of data (not
from the network)
• Stop adding new features and focus on bug
fixes
• Programmers can clean up bugs, if they
don’t have a moving target
– It converges, to some extent
My Dad's
Compute
56 of 72
XP SP2
Bill Gets It
72 slides
Microsoft’s Augean Stables:
a task for Hercules
• 3000 oxen, 30 years, that’s roughly one
oxen-day per line of code in Windows
• It’s been getting worse since Windows 95
My Dad's
Compute
58 of 72
XP SP2: Bill gets it
• “a feature you don’t use should not be a security
problem for you.”
• “Security by design”
– Too late for that, its all retrofitting now
• “Security by default”
– No network services on by default
• Security control panel
– Many things missing from it
– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
My Dad's
Compute
59 of 72
Microsoft really means it about
improving their security
• Their security commitment appears to be
real
• It is a huge job
• Opposing forces are unclear to me
• It’s been a long time coming, and frustrating
My Dad's
Compute
60 of 72
Microsoft secure client arms race
• We are likely to win, but it is going to be a
while
My Dad's
Compute
61 of 72
Windows XP SP2
• Candidate 2 release is available
• Read the EULA…it is interesting and a bit
different
My Dad's
Compute
62 of 72
My Dad's
Compute
63 of 72
My Dad's
Compute
64 of 72
SP2 is just a start: more work is
needed
• Security panel and ActiveX permissions
– Also, list of trusted signers needed
• Still too many network services
– They may not be reachable from outside
the box
• Clicking may still be dangerous
My Dad's
Compute
65 of 72
SP2 isn’t going to be easy to
deploy
• Many people rely on unsafe configurations,
even if they don’t realize it
• Future SPs won’t be easy either, especially if
they follow my advice
• It is a good sign that these installations are
hard
– Visiting the dentist after 20 years of
neglect
My Dad's
Compute
66 of 72
Other Solutions for
my Dad, and others
72 slides
Lindows/OpenOffice
• Tastes almost, but not quite, unlike tea.
My Dad's
Compute
68 of 72
Dad, buy a Mac
72 slides
Build an OS from scratch
• Not as hard as you might think
• “I couldn’t sleep this weekend, so I rewrote
the TCP/IP stack”
• Plan 9
• Various other research operating systems
• Has to keep up with current WinTel hardware
– Centrino is a step backward for me
My Dad's
Compute
70 of 72
Build an OS from scratch
• Start from scratch, with audibility as the
principal goal
• The goal might be to run IE with
demonstrable safety
My Dad's
Compute
71 of 72
Software scales
• Linus can write a kernel
• Don Knuth can write a kernel
• Profit is not necessarily an obstacle to
engineering the software we need
• LinuxSE
My Dad's
Compute
72 of 72
Summary: we ought to win these
battles
• We control the playing field
• DOS is the worse they can do, in theory
• We can replicate our successes
• We can converge on a secure-enough
environment
My Dad's
Compute
73 of 72
Conclusions:
• My Dad’s model (the 3270 terminal) is not the
only model for Internet security
– Supercomputer centers have a different
user and security models
• Multi-user environments are hard
– There is a lot of assembly required
My Dad's
Compute
74 of 72
Conclusions
• We will lose the virus detection game
• We will win the virus prevention game
• We have mostly won the sniffing battle
• Internet security is already good enough for
many consumer applications
• A fully-hosed computer may still seem to be
ok to the user
– This is one of Milton Friedman’s “third
party effect,” which he says is a valid
target of government regulation
My Dad's
Compute
75 of 72
My Dad’s Computer, Microsoft,
and the Future of Internet
Security
Bill Cheswick
ches@lumeta.com
http://www.lumeta.com
72 slides