EFTA02409737.pdf

RSACONFERENCE2008 Darwin & Security: What Evolution Tells Us About the Past and Future of Security Paul Kocher I Cryptography Research. Inc. 04K19/08, 84:50em I Session Code: EXP-201 CITTIOGLUIrt RBUJOI RSA 2008 RSACONFERENCE 20 The theory of this talk... • Instead of focusing on isolated events, we can learn more (and make better predictions) by analyzing how attacks and defenses evolve together 2 EFTA_R1_01470124 EFTA02409737  RSACONFERENCE2008 RSACONFERENCE2008 Brief introduction • Focus on real-world cryptographic systems - Systems, architectures, protocols (SSL 3.0...) — Organization & management challenges in security • Highly technical team — High-assurance emphasis — Customers: Financial, technology, entertainment, pay TV, communications, anti-counterfeiting R&D-based business — Services: Design, implementation, evaluation, education - Licensing: Tamper-resistance/DPA, secure ASIC technologies — Systems designed by CRI engineers protect »$100B annually 3 (rattrap., h RSACONFERENCE2008 In this talk, I'll explore security as an evolutionary process between attacker and defender — How defensive measures influence attacks — How attackers gain advantages by manipulating our defensive strategies and perceptions of risk But first a quick look at what's missing from traditional (non-evolutionary) perspectives... 4 buio.,ur limn. EFTA_R1_01470125 EFTA02409738  RSACONFERENCE2008 a/Leask. Obni$3,1 et tigalea W•43.41091.,011 "LW. Vitt. Ito Vabas**14.114.1 Traditional security emphasis: Leery yds Iv Wet. *0313•170 arkoriardotio Oa Wader* 1•011103014) -- Vulnerabilities -- re Snip Web. wrOxne0110214•1 II leant WI* lerMrotbrri eta/Mg • Evaluations = checking for vulnerabilities 'Up: Web %teas WASla twork..ofelt9:1011 • Attacking = exploiting vulnerabilities fif Stoat. We. fetVatleves.03.1090) fir Lorry uple•I. Wed., *01171•411 • Responding = patching vulnerabilities erfoort•lidit•OvWeders•OrtNni • Engineering = introducing vulnerabilities 0 tr WOO.b 41000371 t Swots WebrwvwWn 4•01193441) Sly t4 a• 0 onnool It's all very tidy W Wawa wet.. ingaleal fineoetaidthi f windows .001Zikal - Defenders have nice lists of fixed flaws 34C.Ity lade,I, Wag., warriatalt (tbannode. .0 weconntatM. — It appears that progress being made... MI $.0,00.1S4 Its Wesi....019.110., *sea for Vorstw4 0397)7Th V kW*, ... but if this was working. the attackers would er ievartnisles Vretion *ammo+ be giving up — which isn't happening ... a eer., VW** ••• %Wen§ *D10.1%40 t SeterValateintawet101.1100) V upfseek• tvedam or (M42, 01 VSeareptedilsOerWedent 0791110.1 ti Swiet• US. I. %Won Pf0M0•15) tarLiela Is warm • (0041644) Cr Sart, LidisIs Way* gr OPT•4•XOsi (rnitm; hums Stoat, upclehe Is VIMOM •01140194 EFTA_R1_01470126 EFTA02409739  RSACONFERENCE2008 RSACONFERENCE20I A simple problem... Q: Suppose a product undergoes Solution: two independent security reviews: Total bugs: B — Review #1 funds 16 bugs Review #1 found 16/B — Review #2 finds 15 new bugs Review #2 found 17/B + 2 that were also found by #1 Bugs found by both: B(16/8)(17/B) = 2 — All of these bugs get patched Solve for B = 136 before the product ships Unfixed bugs: B-16-15 If we assume all bugs are equally easy for reviewers to catch, how (If some bugs are harder to many unpatched bugs are detect than others, the expected in the shipped product? answer becomes larger.) 7 ((meantime(' The basic evolutionary cycle... New defense Prey Predator (aka defender) (aka attacker) [ New exploit Predators & prey must adapt or die. — Prey die off if they cannot find a workable defense — Predators die off if they can't find workable attacks (although the predators doing pretty well these days.. ) Crown tun EFTA_R1_01470127 EFTA02409740  RSACONFERENCE2008 RSACONFERENCE2008 An example... website blacklisting • Websites serving exploits get blacklisted — Blocked sites don't propagate malware very well — Selection pressure: attacks that lead to rapid blacklisting are less fit • What are obvious responses? — Infect legitimate (e.g., whitelisted) sites to make them serve malware — Prevent blacklisting services from detecting the malware 9 (tar ur,tarn hymn RSACONFERENCE2008 An example... website blacklisting "random js" attack — Installed on ISP web servers that are serving multiple domains — Dynamically embeds malicious javascript into webpages — Serves out an updateable cocktail of exploits (13 as of Dec. 2007). which install a nasty data harvesting Trojan — 10.000 legitimate domains hosting the attack — The attack is only served out once per visiting IP address (Saxe £ H mere ', brew. see iovn MCAC WOW riven In 2C04) • Widespread use of blacklisting has caused adversaries to: ...focus more on compromising legitimate websites ...use code morphing to randomize their malware ...limit infection attempts to conceal machines serving out malware io Inno.urn Puny EFTA_R1_01470128 EFTA02409741  RSACONFERENCE2008 Evolving resistance Breakable security responses work like antibiotics - Work wonderfully at first - ... so they get used widely - ... creating a huge selection pressure - ... so the pathogens evolve immunity - ... leading to an even nastier problem Classic Prisoners' Dilemma: — With many defenders, unified strategies are impractical - Attacker evolution is inevitable (a few participants denying themselves a benefit won't fix the trend) A— Smart participants take benefits when they can 11 (sown ilium. On-line piracy: Past evolutionary steps • Original problem: Distribution of pirated content • Original response: Prosecution Evolutionary sequence: • Attack #2: Distribute circumvention tools instead pirate copies • Response #2: Digital Millennium Copyright Act (1998) • Attack #3: Napster • Response #3: Litigation (Napster shut down 2001) • Attack #4: Grokster & others test the lines of legality • Response #4: MGM v. Grokster (Grokster shut down 2005) • Attack #5: Rise of BitTorrent • Response #5: Attack trackers (torrent.ls, Demonlod, OINK.ed... In 2007) • Attack #6: Trackers in "safe" jurisdictions; trackerless protocols Vit>DMCA => =>0 ra BitTorrent EFTA_R1_01470129 EFTA02409742  RSACONFERENCE2008 RSACONFERENCE2008 On-line piracy: Predicting future evolution Communication & storage advances. Current efforts by rights holders — Laws requiring increased responses by ISPs — Increased prosecution of individuals — International legal efforts (such as vs. The Pirate Bay) • Which will lead to increased... — Funding of legal counterattacks (such as Sweden's Pirate Party) — Decentralized, anonymous, encrypted file sharing systems • Which will lead to... — Efforts to increase penalties for those who get caught (like mail theft) — Dramatically increased effort to flood pirate networks with fake files and degrade the pirate user experience • Which will lead to... — Sympathy campaigns for targets — Public key reputation systems to authenticate posted files 13 RSACONFERENCE2008 Pay TV signal theft... • Another interesting case study: — Long history of co-evolution — Sophisticated participants — Broad range of strategies attempted — Significant attacks are visible 0> Prey (aka defender) New demos Predator (aka attacker) Na exploit firmo.wir lump EFTA_R1_01470130 EFTA02409743  RSACONFERENCE2008 RSACONFERENCE2 Pay TV signal theft... Example: Popular channels like HBO, ESPN, etc. are not legally available in Canada (don't meet local rules) — Result: Thriving black market (Canadians pay more than what US subscribers pay) — Pirates have made a fortune breaking security • Example: "vcipher" raid = $13M (CDN) cash/checks/bonds + 10,000 access cards + guns... Est revenue: $10M/year — Attacks spill back into the US market Result: Extreme pressure on the technical systems • • , o • MIIsEt 4 i t+rtAiiNia4:‘;:•iii.,i1..... Pay TV signal theft... Numerous examples of evolutionary sequences: - Analog traps. DISCRET, OAK. EBU... attacked using pirate boxes - VideoCipher II. VideoCipher II+ ... attacked by VMS & other attacks - VideoCrypt: • First 5 card gens: Limit voltage/current on 21V external prog pin • 6th card gen: PIC-based message blocker ("Kentucky Fried Chip") • 7th card gen: PIC16C84-based blocker/emulator ("Ho Lee Fook") • 7th card gen: PC-based emulator by Markus Kuhn • 8th card gen: Abandoned. (Same as 7th with different keys) • 9th card gen: Phoenix programs (record & replay activations) • 9th card gen: Full emulator cards (-battery cards*, Dallas 5002FP) • 9th card gen: SEASON programs • 10th card gen: Phoenix programs, battery cards • 11th card gen: Replaced (reason unknown) • 12th card gen: (migration to new architecture) to man hum, EFTA_R1_01470131 EFTA02409744  RSACONFERENCE2008 RSACONFERENCE2OO8 Pay TV Tradition of high hopes then disappointment — New products were expected to work, but didn't — Each product's generation addressed the previous failure, not necessarily logical predictions about future risks - Risks hidden until commercial exploits arose • Humans instinctively obsess over measures to fix past failures - Good vs animal predators - Not against agile attackers. Q: If attacks were less visible, would the first card generation have ever been replaced? a-= 17 (inktom•hi.ifron. RSACONFERENCE2OO8 Detectability & Information asymmetries • As defenders, we optimize based on what we know — Defending is much harder if we don't know the attack — Smart adversaries hide information • Unnecessarily visible attacks (such as viruses/worms that replicate in the wild) are generally the stupidest — Example: Information theft for insider trading • Detected attacks = stopped and/or prosecuted • Strategy: Stealth + narrow targeting — Ex: Anti-virus/blacklisting software is useless • Defender uncertainty: Am I dangerously exposed... or overly paranoid? 18 EFTA_R1_01470132 EFTA02409745  RSACONFERENCE2008 RSACONFERENCE20 Revisiting the cycle... Defender wins if no attack attempted (e.g., system is obscure, rAttacker gains if the response takes longer doesn't appear to be worth attacking, or defender is lucky) Defender loses if there is no New defense effective fix Prey Predator (aka defender) (aka attacker) New exploit Defender loses if the attack is catastrophic Defender wins if attacker Defender loses if no (= detection irrelevant) fails (robust design, luck. response because attacker resource limits...) attack is not detected "Success" is measured as a cost/benefit: ,== • Defender. Cost of defense vs. reduction in loss 19 freKrautr htun • Attacker: Cost/risk of attack vs. benefits I r it T •r C e...1111r.; / A i n 74 . A zero-sum game? * • • 4 • • When attackers are thriving, the burden is felt disproportionally by • some targets - Attackers pick easiest victims - • • If one target becomes Hungry lions stalking zebra a ric harder to catch, predators impala in the Okavanco Delta switch to the easier prey - Attackers expect changes and diversify (Pay TV, credit card fraud, bogus checks. drugs, weapons...) • Consequence #1: Security improvements offer a double reward — Eliminate the problem and competitors face extra predation • Consequence #2: Benefits are local, not systemic — Fraud is redistributed, but the impact on the predator is often small (The delta between the original attack and the next-best alternative) 20 (voltam*, hum) EFTA_R1_01470133 EFTA02409746  RSACONFERENCE2008 vpm. , In-SOO Many strategies can work, but in all cases the long-term survival of prey species depends on evolving as predators become more effective [We're the prey] • -4:7,1-wir4V t. EFTA_R1_01470134 EFTA02409747  RSACONFERENCE2008 "If the bad guys appreciated how much effort we put into patching, do you think they might stop compromising our system?" 23 RSACONFERENCE2008 Evolving faster & better... • Genetic improvements happen gradually - Less fit organisms don't propagate • A few species specialize in a much faster way to adapt — Learning 24 Nino.inututh. EFTA_R1_01470135 EFTA02409748  RSACONFERENCE2008 RSACONFERENCE2 Address information asymmetries that limit evolution Attackers hide information to prevent good strategic decisions • Many examples - Britain & US lives sacrificed to keep Germany from knowing the Enigma was broken • But adversaries often leave hints... - Germans knew U-boat losses were inexplicably high, but had too much faith in the Enigma — Is card use at certain merchants linked to subsequent fraud? — Is stock trading correlated to pending M&A announcements? — Are solicitations from customers being sent to addresses in your mailing list? (Tricky to distinguish clever inferences from stolen info!) 26 EFTA_R1_01470136 EFTA02409749  RSACONFERENCE2008 Example #1: Academy screeners... • Academy members need to see movies so they can vote for them - Problem: Rampant piracy of screeners — Too expensive & difficult to make uncopyable • Solution: Forensic marking ishr — Unique identifying marks in each original - Enables copies to be traced to the Academy member • Extra information forced the predators into the open — Today, movies still get pirated, but the sources get shut off quickly (+ prosecuted if appropriate, e.g. Russell Sprague) - Successful: Piracy from Academy screeners is now self-limiting Umixam, hvom RSACONFERENCE2008 Example #2: Honeypots, etc. • Problem: How to tell if outside attackers have breached a network - Approach: Put a honeypot on the network that will tempt adversaries who have breached the perimeter & alert you • If it is raided: proof something is horribly wrong • Useful datapoint (though not conclusive) if not breached Related approaches for other problems, e.g.: — Tempting URL in comments in sensitive source code — Traceable addresses in mailing list copies 28 Unwovhmoy EFTA_R1_01470137 EFTA02409750  RSACONFERENCE2008 RSACONFERENCE2008 Allocate resources to maximize the ability to evolve — and limit adversaries' ability 29 (inktom•hi.ifron. RSACONFERENCE20O8 How should resources be allocated? Option #1: Invest in many incremental responses: — Each provides some temporary relief... but will never 'win' — Pros: Disrupts pirate viewers, low-cost, easy to develop — Cons: Gets broken quickly; continuous investment required Option #2: Invest in a major defensive upgrade — The best strategy if the attackers can be driven away to other targets — Pros: Potential to fundamentally change the situation — Cons: Long lead time. more expensive, requires skilled engineering Game theory problem — right answer depends on risk model - Non-evolutionary models biased toward incremental approaches - Evolution-aware models tend to favor decisive efforts, if available • Iterative processes train adversaries + can increase attacker profits (= stronger attacker next time) sa • If attacker dies or specializes in other prey, a broad range of -=-=- risks decrease (e.g., if attack infrastructure is dismantled, it 30 0,„"„,,h,„, 0 won't be there to exploit future vulnerabilities) EFTA_R1_01470138 EFTA02409751  RSACONFERENCE2008 'CONFERENCE? Contrasting strategies we've built and deployed Self-Protecting Digital Content CryptoFirewall Renewable anti-piracy system: Tamper-resistant silicon core: Enable defenses to evolve Goal to completely end attacks - Integrates security software — Typically manufactured as part with content of a larger ASIC - Each disc./title carries security — Intra-chip security perimeter: code for its own playback secure even if rest of chip fails - Enables new discs to carry — Far stronger and more cost- new countermeasures effective than general purpose - Complements (imperfect) chips (e.g.. smart cards) defenses — 50M+ pay N chips deployed - Deployed in Blu-ray (BD+) ,! (t. •:4 Utilize indirect information effectively EFTA_R1_01470139 EFTA02409752  RSACONFERENCE2008 Organizational perspective • How well does your organization learn from past failures? — Example — airplane crashes - Good example: FAA - Mediocre: TSA • Immediate causes are usually obvious — A specific vulnerability — Patching the immediate cause wastes a valuable opportunity • The proximal and root causes are most important — Poor communication between engineering groups? — Critical design tasks performed by unassisted novices? — Insufficient security budget? etc. Itamorn Monti Organizational perspective • Different organizations have different problems - Smaller organizations • Challenges tend to be lack of infrastructure, resources — Bigger organizations: • Can develop internal expertise by exposing a few people to problems across the organization • ... but tend to overload people with policies & politics • ... and consequences of failure are larger 34 Inno.onn lump EFTA_R1_01470140 EFTA02409753  RSACONFERENCE2008 RSACONFERENCE2008 Consistency vs. flexibility Policy compliance can be mind-numbing - ISO 9000, SOX, HIPAA, — Encourage uniformity, limits flexibility — Policy overhead distracts (or drives away) the best people A question of balance... - Security policies cannot substitute for common sense or hiring smart trustworthy people — Carelessness about consistency are also creates risk 35 nructm, Mom. "Look at the bright side. The total network meltdown will free the IT department to focus on our core mission: audit paperwork." 36 EFTA_R1_01470141 EFTA02409754  RSACONFERENCE2008 RSACONFERENCE2 Put yourself in the adversary's shoes Think a few moves ahead • How will the adversary respond? — What will be the new optimal strategy for the adversary? • Will this be better or worse for me than the old attack? — Will the adversary give up? Attack the competition? • How will the my organization respond to the updated attack? - Will people be surprised? Upset? — Do we have the next response planned? How long will it take to roll out? What will it cost? ... 2- - Itoto.umhtutto EFTA_R1_01470142 EFTA02409755  RSACONFERENCE2008 Trying on a black hat Internal "black hat" security brainstorming — Identify how your team would attack your own systems if they were disgruntled employees, competitors, extortionists, etc... — If an attack succeeded, what signs could observe that would suggest a breach? — What defensive upgrades could address the risks? If these were deployed, how would adversaries adapt? • Offer small prizes for the best insights — Goal: Encourage team to stop focusing on the why systems are strong, and instead ask how they can be made to fail Closing thoughts dJ EFTA_R1_01470143 EFTA02409756  RSACONFERENCE2008 Dn. ic oet•in. ma:rrv1.u, . Ow.). 00alfl. mg•tdo• thy ri.mg thAp nuietial .?•.••1•11.< oppo,aned -Pal an.pn nupd. aclulp. ,,,,, Jl. ,t, , ,Icrol On "Intelligent Design' ippeosa Al aM (0.np &rut of f doo flowerafaft. ..lotch 2k 1M11 • Can intelligent people build a complex system and get it right? — Doubtful... Windows... Linux... FreeBSD... etc. = too many interactions, too complex to secure reliably • Yet we can build complex systems that can evolve in response to new threats — Windows update, SPDC... Perhaps our best hope is to harness evolutionary processes to create systems L. that meet our needs... RSACONFERENCE2008 A thought experiment on factoring... If we want to evolve the ultimate factoring algorithm... O Create a random algorithm 0 Create some medium-sized random test integers O Test whether if algorithm can factor the test integers quickly • If not, randomly modify the algorithm and go to step 2. O Stop Even a completely dumb process will eventually stumble upon the optimal factoring algorithm, but smarter Lapproaches should yield results faster 42 (1O,0OO1, h.f /110 EFTA_R1_01470144 EFTA02409757  RSACONFERENCE2008 tan . at implemen asic x entities that study thetde find the answer, stop the siliAlatio RSACONFERENCE20 For a copy of my slides: Paul Kocher [email protected] We're hiring... Ask me or visit www.cryptography.com/jobs OVPI0GRAPH, Rtst ARCH EFTA_R1_01470145 EFTA02409758