Exploitable bugs.pdfVIP

1Accountability and Freedom Butler Lampson Microsoft September 26, 2005 2Real-World Security ? It’s about risk, locks, and deterrence. ? Risk management: cost of security expected loss ? Perfect security costs way too much ? Locks good enough that bad guys break in rarely ? Bad guys get caught and punished enough to be deterred, so police / courts must be good enough. ? Can recover from damage at an acceptable cost. ? Internet security similar, but little accountability – Can’t identify the bad guys, so can’t deter them 3How Much Security ? Security is costly—buy only what you need – You pay mainly in inconvenience – If there’s no punishment, you pay a lot ? People do behave this way ? We don’t tell them this—a big mistake ? The best is the enemy of the good – Perfect security is the worst enemy of real security ? Feasible security – Costs less than the value it protects – Simple enough for users to manage – Simple enough for vendors to implement 4Causes of Security Problems ? Exploitable bugs ? Bad configuration – TCB: Everything that security depends on Hardware, software, and configuration – Does formal policy say what I mean? ? Can I understand it? Can I manage it? ? Why least privilege doesn’t work – Too complicated, can’t manage it The unavoidable price of reliability is simplicity —Hoare 5Defensive strategies ? Locks: Control the bad guys – Coarse: Isolate—keep everybody out – Medium:Exclude—keep the bad guys out – Fine: Restrict—Keep them from doing damage Recover—Undo the damage ? Deterrence: Catch bad guys, punish them – Auditing, police, courts or other penalties 6The Access Control Model Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy 1. Isolation Boundary to prevent attacks outside access-controlled channels 2. Access Control for channel traffic 3. Policy management 7Isolation ? Attacks on: – Program – Isolation – Policy Service