Fresh Defense

I recently installed Bootcamp and Microsoft Windows XP SP3 on my MacBook Pro.

While this was mostly straightforward, the process got complicated because I did not have my Leopard installation DVD with me, and the cost of traveling to it…well, you can guess. Not worth it.

The lack of the DVD is crucial because it contains Windows XP drivers for the Mac-specific hardware. Fortunately, this page:

http://support.apple.com/kb/HT1999

helped me run down what drivers I needed (mostly the RealTek sound driver). I got an updated NVidia driver from the Apple web site, so the laptop, when booted into Windows, is now able to display proper video and sound — which is, along with external keyboard and mouse, what one needs for Windows-only video games. Network, trackpad, and other misc items are still not working. It has been a heck of a time, especially since the “updates” to Bootcamp that Apple has available:

http://support.apple.com/kb/DL967

and

http://support.apple.com/downloads/Boot_Camp_Update_2_1_for_Windows_Vista_32

don’t seem to run in WindowsXP SP3 (a clean, from ISO install, not an SP2 to SP3 upgrade).

The DHS is indeed committing to hiring 1000 clearable US citizens over the next three years. If you’re interested, you can “attend” their cyber job fair:

http://www.dhs.gov/xabout/careers/cyberjobfair

They are looking to fill these types of roles:

• Cyber Incident Response
• Vulnerability Detection and Assessment
• Networks and Systems Engineering
• Cyber Risk and Strategic Analysis
• Intelligence and Investigation

I’m glad that this amount of hiring is happening, but I’m still unconvinced that this will bring DHS (and the American people) 300 high-quality cybersecurity professionals per year. I’m guessing 80 to 90 percent of the hires in any given year will be trainable Computer Science and/or Computer Engineering B.Sc. students — those who can gradually obtain cybersecurity skills over the course of their govt. careers. And that’s not necessarily a bad thing, except that in three years, the US cybersecurity defense posture and capabilities won’t be measurably improved.

One thousand extra people does not translate directly into an improvement — not at the rate at which network traffic flows, attacks and exploits of software vulnerabilities happens, the complexity of real systems software increases, new technologies come on line, etc. Most of the roles that DHS is seeking seem to be more on the strategy end of things rather than the tactics or operational side of the house — and I see that as a good thing, but it’s easy to misuse a sudden influx of manpower on the tactical side, even if they’re initially meant to have a strategic, forward-looking focus.

It looks like a manual containing information about TSA screening procedures has been posted to the web (with yet more poor redaction — will they never learn? Actually, software vendors should really improve their redaction function to eliminate all versions of sensitive info from the given file, and prove it to the user).

http://us.cnn.com/2009/TRAVEL/12/08/u.s.tsa.training.manual/index.html

Although most quotes in the above article express alarm and frustration at the release of this “sensitive” information, and the TSA claims that the information about procedures is “outdated” and “unimplemented” (which I see as simply a thin way to re-create some uncertainty in an attacker’s mind), I see this sort of release of information as a good thing: it lets the traveling public understand the actual level of security the TSA achieves rather than some vague, fuzzy notion of safety.

Responsible or ethical disclosure of information (be it vulnerabilities, exploits, proof-of-concepts, proprietary or confidential information, etc.) has long been a favorite sawhorse and controversial subject in the information security community. At least some forms of whistleblowing have some public value, and in general I think more information is a good thing.

The key question, however, is this: if indeed the act of creating uncertainty in an attacker or adversary’s mind has value, why does it have value and how can we measure this value? Although security through obscurity is an oft-derided “technique” (even that word gives it too much credibility as a defensive mechanism), keeping secrets has arguably had at least some value in a variety of contexts (mostly espionage or military operations). The problem, of course, is measuring how much your ability to keep information secret has limited the enemy’s options, and so counterintelligence is needed. Such active techniques, however, seem distasteful as an academic research area, since presumably many of the techniques would require attack techniques, and thus some loss of moral authority (hey, we’re not the “good guys” anymore).

Followup & Updates: (added 9 Dec)

CNN has a followup: some heads rolled (predictably — this is a terribly MAJOR BREACH of national security).

http://us.cnn.com/2009/TRAVEL/12/09/tsa.training.manual/index.html

A good article from Wired:

http://www.wired.com/threatlevel/2009/12/tsa-leak/

The Wired article has a link to an Adobe guide to “proper” redacting techniques.

Finally, those wishing to actually read the manual can download it here:

http://cryptome.org/tsa-smoke/tsa-smoke.htm

Yesterday I gave a talk at the USENIX LISA conference about the difficulties involved in the process of recovering a network infrastructure from a large-scale intrusion.

Stories about post-mortem analysis of such incidents are rare. Here are a few links and pointers:

“Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack” (HTML)

Chronicle of a Server Break-In (HTML, see link to Paul’s actual postmortem)

Abe Singer. “Tempting Fate,” ;login:, Volumn 30, #1, Usenix Association, November 2005. (grab a copy of ;login)

Eugene H. Spafford. The Internet Worm Program: An Analysis (PDF)

Cliff Stoll. “The Cuckoo’s Egg” (HTML)

Bill Cheswick. “An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied” (PDF)

Biometrics as a measure of intent dates at least to the polygraph. Humans often do have physical reactions to stress, but does this kind of system employed as a filter for further screening really buy us much safety?

In the name of finding terrorists before they board an airplane, the TSA has adopted a number of “advanced” personal profiling methods: essentially, agents looking for tells, signs of nervousness, or other vague symptoms that may or may not be harbingers of doom.

There are of course many innocent explanations for a nervous manner, sweaty shirt or face, irritated look, twitchy fingers, etc. They include people just having had arguments with their friend or spouse, hurrying to catch a flight, getting caught in traffic on the way to the airport, being recently fired, being nervous about a first flight, having a sweating problem by nature, or hurriedly typing an emotional blog entry or Facebook post into their cell phone.

The TSA apparently believes so much in this approach that they want to scale it up. And the only way to do that is to make a computer do the scanning for you. CNN had this article on October 6th: “Will Airports Screen for Body Signals? Researchers Hope So.”

I like the title, because it’s likely that only the researchers getting paid to conduct this work are hopeful that it will get adopted. There is a really nice quote from the article:

“I haven’t seen any research that shows that those measures from the autonomic nervous system … measuring blood pressure, measuring breathing, measuring heat on the face, are at all related to intent,” said Stephen Fienberg, professor of statistics and social sciences at Carnegie Mellon University.

Spot on! Identity doesn’t measure intent, and neither does your biometrics, if just for the plain fact that your individual heat signature, heart rate, etc. are exactly that: an individual signature about which the population statistics have nothing to say and no predictive power. Forensic psychology researchers involved in creating risk assessment measures (e.g., for criminal recidivism rates) argue about whether such measures can actually predict an individual’s behavior, since the rates of a population don’t determine what an individual released on parole and able to exercise free will (and subject to both the social support and temptations of the outside world) might actually do. For example, measures like the HCR-20 are instruments for assessing the risk of violence, but mainly with in the context of ongoing psychotherapy sessions in a doctor-patient relationship.

Now, as a researcher who routinely solicits money from Federal agencies to support my work, I understand that the scientists involved in trying to create this technology will have some reasonable claims about its limitations and shortcomings. They’ll have a justification for why it will work well, and they may even had made a few fundamental breakthroughs in terms of gathering data from dark or dimly lit faces, bad angles, and the like. Unfortunately, they are also likely to have adopted the beliefs of their funding agency: that this type of profiling works to pick out those engaged in illegal activities or those intent on causing harm to air or rail passengers.

I’d like to see this system made to work from high up above Grand Central Station’s main floor, or in a high school auditorium, a supermarket, a sports venue, or a crowded student center. These are dynamic, real environments, not controlled lab conditions where the subject peers directly into the camera in good lighting.

All that aside, however, this view stunned me:

Civil liberties groups maintain this screening technology is an invasion of privacy. “Nobody has the right to look at my intimate bodily functions, my breathing, my perspiration rate, my heart rate, from afar,” said Joe Stanley of the ACLU.
…
[Project manager Robert] Burns denied the project is a violation of privacy. “We’re looking at signals you give off naturally. We’re not asking for any personal information. We’re not asking anything about you,” he said.

Burns is entirely correct — they are not asking anything about you: they are taking it forcefully from under your nose without permission. Earlier in the article, Burns states that “We’re looking for those signals that your body gives off naturally.” The problem is that technology is allowing government workers to do something that they didn’t have the power to do before. These properties are subtle and not detectable by the human eye when scanning a large crowd: heart rate, body temperature, perspiration under clothing, eye movement, etc.

Although your body does display these properties, it does not advertise them on a billboard: there is no neon sign with your heart rate plastered to your forehead. Why should government agents have the power to effectively augment their five senses to know your physical condition perhaps more intimately than you know it yourself?

This recent Washington Post article highlights the competition between DHS and NSA in their publically stated goals of hiring 1000 to 3000 new cybersecurity professionals per year over the next few years.

I find it extremely doubtful that this level of expertise even exists. The sum total of “real” cybersecurity expertise (in terms of deep technical knowledge and strategic foresight) is probably only on the order of 1000 people worldwide. Yes, there are many people who are operational security experts (meaning that they stare at screenfuls of log entries and pretty pictures of network traces flying by), but there are very few who actually understand the internal workings of systems, the properties that lead to weaknesses and vulnerabilities, and how to manipulate real systems, hardware, networks, and program execution in order to install malware or subvert system control.

Without a commitment to educating such a workforce, it is impossible to hire such a workforce into existence. And as Gene Spafford notes, the NSA CAE (Centers of Academic Excellence in Information Assurance) program isn’t really effective in this regard (nor, might I add, is the NSF Scholarship for Service program, at least at producing the sheer volume of needed workers).

This Canadian scifi writer doesn’t seem to understand the concept of DoS, or the abuse potential of a deeply embedded surveillance and monitoring system. He claims that we could have

a small implant, say, that keeps track of your whereabouts using signals from the satellite-based Global Positioning System. Suppose the implant constantly broadcasts your exact location to a centralized facility. At that facility — call it the Alibi Archives — you would have your own personal black box, keeping track of your movements.

He claims that such a device would reduce crime and more quickly bring help for medical emergencies. He utterly neglects the ease with which such a small transmitter could be interfered with, and he does not seem to realize that creating a domestic surveillance system actually introduces the temptation to become totalitarian. The Protect America Act and the PATRIOT Act have had their original provisions expanded to deal with ordinary crime, not just terrorism. Government is by definition a bureaucracy. Its natural tendency is to grow, increase its scope, and subsume things that don’t rightly belong to it.

Is more public monitoring of private lives a good thing? He also doesn’t seem to realize that data, once stored, is a devil to get rid of — he is rather idealistic in assuming that law enforcement, the government, and your employer won’t try to find out what you have stored in that black box. Are you a political candidate running for office? Let me file a freedom of information act and see what you really said at that frat party 20 years ago.

It looks like the Rockefeller-Snowe bill dealing with national cybersecurity has undergone revisions during the recent summer break. I originally scribbled a blurb about this legislation back in March.

Among some of the most troubling provisions in the original draft were clauses allowing the Executive Branch to effectively turn off national access to the Internet. Regardless of how unrealistic a complete severance of connectivity is, such a proposal was an alarming extension of executive power. It seems like this provision has been tempered.

New changes also call for more specific guidelines in getting Federal cyber-security employees certified. I remain unconvinced that certification will save the day.

Also known as CPU starvation or CPU consumption attacks, such attacks present a difficult challenge to commodity computing platforms: users typically believe that commodity hardware is a high-assurance product and that software errors present more of a threat to reliability, quality of service, or security.

A Denial-of-Service (DoS) attack on a Central Processing Unit (CPU) represents an intentionally induced state of partially or completely degraded CPU performance in terms of the ability of the CPU to make progress on legitimate instruction streams.

Background

This type of attack represents a condition of the CPU whereby its available resources (registers, data path, arithmetic functional units, floating point units, and logic units) remain in an intentionally induced state of overload, livelock, or deadlock.

An attacker can prevent the CPU from making progress on the execution of benign processes in a number of ways, but at least two mainstream methods suffice to overload the CPU or impair its ability to multiplex between a collection of processes. The first method involves the exploitation of a hardware error in CPU design or construction to halt or loop the CPU or otherwise place it in an error state requiring a hard reset. The Intel F00F bug provides an example of this method of attack. The second method involves exploiting a software error in the operating system (example 1, example 2) or user-level software to cause the CPU to continuously service the faulting software (sometimes in spite of the kernel scheduler’s attempts to ensure fair CPU multiplexing). This style of attack is closely related to Algorithmic Complexity DoS attacks (they differ in that such attacks can also overload or impair memory performance rather than the CPU as the chief avenue of service degradation).

Applications

Attackers can cause the CPU to hang, halt, or execute malicious (or useless) code rather than legitimate, benign processes. They can do so by identifying and building on an error in the CPU hardware or by causing the kernel or one or more user-level processes to consume more than their fair share of execution time. Often, the latter attack involves identifying a software error ({\it e.g.,} to cause an unterminated loop) or supplying data to system calls specially constructed to cause uncharacteristically long system call execution time.

Low-tech versions of this latter style of attack can include manipulating the scheduler priority for one or more processes, disabling or removing resource limits (if provided by the operating system) or issuing a fork bomb or similar resource exhaustion attack.

Descriptions of hardware bugs are often available in the published CPU errata lists for each CPU model. The errata lists often describe such errors and their preconditions in enough detail to enable the reconstruction of code sequences that manifest the error state (which often, but not always, results in a CPU hang or inconsistent state rapidly leading to a hard or soft reset). Attackers can then either directly upload and run such code sequences on a target platform or construct data aimed at eliciting such instruction sequences from the execution of existing program binaries.

The aforementioned Pentium F00F bug supplies one prominent example of a hardware error leading to a hung CPU. The Pentium processor failed to correctly handle an illegal formulation of the CMPXCHG8B instruction. Specifically, if this instruction was given a non-memory operand (the implicit operand is the concatenation of the EDX and EAX registers, and the explicit operand must refer to memory)and the instruction was given the LOCK prefix, then the CPU entered a complex failure state. Normally, supplying a non-memory operand to this instruction should generate an illegal opcode exception. Unfortunately, simultaneously specifying the LOCK prefix (which is also illegal for this type of instruction) exploited a bug in the CPU: when the CPU recognized the invalid opcode due to the non-memory operand, it attempted to invoke the invalid instruction handler vector, thus causing two reads to the memory bus. The LOCK prefix, however, caused the bus to enter a state where it expects a read-write pair of bus requests rather than two memory bus reads, and the CPU subsequently hung. Intel introduced clever workarounds, including some that took advantage of the bug’s behavior, but the ease with which this hardware error could be exploited should serve as a warning that commodity computing hardware remains complex and full of significant errors.

Open Problems

Preventing DoS attacks is notoriously difficult — the point of most software and hardware computing systems, is, after all, to provide service, and exhausting available bandwidth, memory, or CPU cycles remains a major concern in the absence of redundancy or strict and well-calibrated resource limits.

Hardware errors will continue to present a troubling source of potential CPU DoS attacks. Hardware cannot be patched as easily as software, and simply executing a user-level program with the right mixture of instructions can compromise an entire machine, including software layers like the OS or a Virtual Machine Monitor that are traditionally supposed to enforce isolation or access control.

Latent software errors in the OS kernel and a wide variety of user-level applications also present opportunities for CPU exhaustion, livelock, or deadlock. With the increasing emphasis on parallel computing models and multicore systems, software errors involving improper lock ordering or bugs in threading libraries supply ample material for impairing the ability of the CPU to make progress on benign instruction streams.

Related Work

1. “Intel Core 2” Theo de Raadt. The openbsd-misc mailing
   list. June 27, 2007.
2. “The Pentium F00F Bug” Robert R. Collins.
3. “Denial of service (CPU consumption) via a long argument to the
   MAIL command.” The Apache Software Foundation. 15 June 2006.
4. “Remote Code Execution Through Intel CPU Bugs” Kris
   Kaspersky. HITBSecConf2008.

I saw this news tidbit in the Vancouver Sun yesterday morning on the plane back to DC.

The Russian FSB now has the power to open postal mail without a warrant. [ Update: similar shenanigans by the UAE for cell phones. Thanks to Apu K. for the link. -Ed.]

It really doesn’t matter which government or what medium…if there is data of value for either security or economic reasons, laws will be bent or broken to get at it.

“It reminds one of Soviet times. And the worst thing is, the people don’t care.”

“This document carries a technical character,” a ministry spokesman said, denying that security services would see their powers broadened with the decree.

Observations:

1. very curious phrase “a technical character” … meaning “pay no attention to the man behind the curtain!” You simply shouldn’t be concerned because this is a very technical topic and it doesn’t actually mean that you’ve lost rights even though that seems like exactly what we’re doing.
2. cognitive dissonance caused by that last sentence: either the security services already have this power, or the decree is meaningless b/c it doesn’t broaden powers, but on the face, that is what it seems *exactly* to do. Big lies are more easily believed, I suppose, particularly without any counterbalance in views.

Update:

The cognitive dissonance was nicely described as a Jedi Mind Trick. In addition, it was pointed out to me that it is likely that people actually do care, but in the absence of a free media, this sort of thing receives either no attention or only positive attention, and that dissenting opinions are only confined to venues with a purposefully ridiculous nature.