'Attack Trees' Help Model Potential Security Flaws

Our most prolific reader, Anonymous Coward, writes "Here is an article by Bruce Schneier of Counterpane Internet Security from Dr. Dobb's Journal that describes a way to 'model threats against computer systems'." This is Bruce Schneir at his best. Many of the thoughts in this article aren't about cryptography but about other ways intruders might defeat your security measures, and about how to determine what kind of attacks you might expect to face.

Re:A good model [OT?]

Security on Windows 9x really is a lost cause.

In addition to what pb mentioned in this comment's parent, I had some time to play around on a "locked down" system. You had to give the admin some credit, he did a better job than most people so, but even so...

On a totally locked down system, you can't access Windows Explorer, and My Computer only allows you to access your own files on the network server. Not even the C drive. But wait! WindowsKey+E brings up Explorer on C:\Windows. Oops. WinKey+F brings up Find, allowing you to check for each and every drive on the network. Find one, and you can right-click, and then select Explore, making it magicly appear in Windows Explorer.

The admin for this lab had gone and actually deleted command.com from the computers. Good idea, but unfortunately, the computers had web access. Problem solved. You could then create a shortcut to command.com.

At the command prompt, you could try to bring up regedit.exe, but no... Policies didn't allow that. Too bad the policies don't prevent you from using regedit's command line switches, eh? You can export the registry to a plain-text file, then use command line options to delete any entries you don't like.

Also from the command prompt, you could change the access properties on files on the network drives. I was able to change the both the internet website and the webpages on the LAN. Both were supposedly locked so that only the admin could get at them. Oops.

Anyway, you want security, you simply don't use Win9x. (This is why Norton's Ghost sells so well, no?)

------

Re:process, not product

If you don't have the sympathy of the people you're working with, you're already doomed. A snotty attitude on the part of the security experts rarely helps.

Example: sysadmin abruptly changes policy to frequently expiring passwords, with no recycling of old passwords.

Result: users start picking passwords that are dead easy to guess, in fear that they may forget them. They're also very careful to write down their password somewhere near their machine.

Now compare Unix and EROS

You will note that EROS [eros-os.org] takes the idea of reducing the number of nodes closer to the root of the tree as far as possible. (The introductory essays [eros-os.org] are particularly valuable to read.) Every program is passed exactly the access it needs to have which means that there are far fewer programs which run as root or something close to root (the pun with the root of the attack tree is unintended) and therefore there are a lot fewer potential ways to try to break the security.

For those who do not want to read the essays in detail, here is an explanation "from 20,000 feet" to give you a sense. Unix is based on the idea of an access control list. You have permissions based on who you are, and every process you run will (by default) have permissions to do on your behalf anything that you can do. EROS is based on the idea of a capability. Capabilities can be thought of as handles through which you can request some action and you can do nothing without explicitly being handed the appropriate capability.

The difference is obvious when you consider trying to cat a file. In Unix you hand a program like cat the names of the files you want it to open and trust it to do nothing other than what you asked. In EROS you have the capability to produce capabilities which we will call file-handles would hand cat the open file-handles from which it could read those files and be guaranteed that it is unable to talk to anything other than you, or read anything other than those files, since it has no other capabilities (not even the ability to produce another file-handle). Note that in Unix you explicitly have to trust that cat won't do anything else while in EROS there is no way that it could.

This ensuring that processes never have any ability that they do not need to have results in far fewer processes with sufficient permission to cause damage, and therefore results in the attack tree by default being substantially pared down from what is possible even in a heavily locked down Unix system. As a result verifying the security of the operating system becomes a far simpler task. While attempting to verify the security of a Unix system is possible, the OpenBSD [openbsd.org] folks have done an extremely good job of it, the equivalent task for a capability system is far simpler.

Food for thought. :-)

Cheers,
Ben

process, not product

Security is not a product -- it's a process

It's amazing how many people who should know better miss that simple point. I've worked at places that spent fortunes on security products, and yet all the workers wrote their login/passwords right on the monitor because it took the IT security staff so long to create new logins that everybody just shared the same ones.

NT workstation is one of those perfect examples of a decent product with an easy attack path. The basic security model is reasonable, but then they integrate the web browser and e-mail package with everything else on the system, allowing so many security holes that they'll never really be plugged.

Re:E-commerce Security Consulting or software

If you need to ask these questions, you have no business doing ANY online commerce.

As the Sysadmin for a large e-commerse site, I spend roughly 50% of my time on security. While no system is full-proof, the sysadmin MUST be well versed in security and MUST address it on a daily basis.

All it takes is one stolen credit card number from your site. Lawsuits. Bad publicity. Bankrupt startup.

For an e-commerce site, system security can potentially MAKE or BREAK your business.

A good model

This is a good model of explaining security threats. For example, look at an operating system like win98 (I'm not just MS bashing 'cause this is slashdot, I'm making an actual point.) By integrating browsers and such so closely into the operating system, Win98 effectively adds opportunities for more leaf nodes. Take the following example: On a UNIX system, you need at least the root password to take ove rthe entire machine. A regular user's password is nice if you need to telnet in. There are a few ways to do this, such as social engineering, getting a root shell via a buggy network daemon, or guessing. Now look at Windows. There are more ways into the system, so there are more branches. You could get an administrator password by the methods mentioned above. Or you might find a bug in a web browser or email program running under an administrative account. By Microsoft "seemlessly integrating" software with their OS, they've created a situation where there are more nodes closer to the root of the tree. In a better security model, you would want as few nodes close to the root as possible, so that any viable points of attack would have to circumvent numerous obsticles to be successful.

No startling new thoughts, just my own musings. If you can't tell, I found the article pretty interesting, and I've never thought about a hierarchical method of analyzing security risks.

Just a nitpick

By Microsoft "seemlessly integrating" software with their OS, they've created a situation where there are more nodes closer to the root of the tree.

It dosn't matter how close the node is to the root, but how many branches there are in total. Even if all the paths to the UNIX root were hundreds of nodes deep, if they exsist at all, the system is vulnerable. The integration of nodes in MS operating systems do add a lot more nodes that connect, at some point, to the root. so the attacker has a lot more options

Useful for a company

The attack tree idea seems like something which would be best provided to a company by their security vendor. Suppose I sell products to encrypt a companies valuable secrets now it is to my benifit that companies who buy my product don't get hacked etc.. even if it isn't the fault of my product. Thus it becomes my job to improve the security model of the company I sell to. Providing them with attack trees (maybe in software form) is probably a good way to convince them that using 1 billion bit encryption isn't sufficent if the executive keeps the passphrase in his desk drawer.

However, it doesn't seem very useful to the designer of a security product. Any security product needs to be used properly in order to be effective hence most of the social engineering routes on the attack tree are irrelevant to the designer of the software (he cannot control what people do with their passphrases). An attack tree of bugs in the program isn't as helpful because a succesful attack is always one which is unanticipated.

If you realize their is a danger of buffer overflow you add code to prevent the overflow hence at release the developers should always think any route on the attack tree is impossible (in theory the code CAN be safe (unlikely in practice) unlike the implementation of the scheme (people can always be blackmailed etc..) ). Of course a properly designed modular cryptographic program would probably distrust results from its own subroutines (check against faulty returns from your own procedures just as you do against user input) but the attack tree seems to add nothing to this.

Re:A good model

No, sorry, it's actually much worse.

Win '98 doesn't really have administrative accounts. Accounts are all wrong. They might have some "Policies and profiles" stuff, but that's pretty flawed too. I routinely get around Windows "security", and even that usually involves continually taking out OS "features", until there isn't anything usable left.

I'd be happy to discuss this with anyone. The effort required to really secure a Win '95/'98 box generally isn't worth it, which is why Microsoft sells NT. (not that that's *so* much better, it has its own problems. :)

Simple exploits:

F5 or F8 to bypass or mess with boot sequence. Good to disable this, and put a BIOS password on your computer.

Ctrl-Esc before you're logged in: can still bring up the Task Manager!

Cancel the log in, if it asks you for one. Often still brings up Windows.

Ctrl-Alt-Del. 'nuff said.

On a "locked-down" Windows box, try to get a command prompt or shell window, so as to execute the commands you want to use. Alt-F3, I think, will often still bring up "Find". See if they disabled "Run", "My Computer", etc.

If you can get to a web browser, set--say--the app for telnet to C:\COMMAND.COM. :)

If you can get Macros running, in Word or Excel, I think SHELL("C:\COMMAND.COM") works in Word Basic, but you can look up the SHELL command in the help.

Originally, you could just shut down Windows '95, and then type in DOS commands--it just dropped you to a prompt, and left you in graphics mode, saying "It is now safe to shutdown your computer"! You could type in, say, "MODE CO80", get back to text mode, and play in DOS from there...

These are just the pretty obvious ones, of course there are more interesting ways to hack Windows, like copying/editing binaries to run other programs, this sometimes gets around that Policies & Profiles crap...

On UNIX:

Login:
Password:

Damn damn damn damn damn! :)
---
pb Reply or e-mail rather than vaguely moderate [152.7.41.11].