On Monday, CCS unofficially started. I say unofficially since Tuesday is the first day of presentations, but on Monday there were Workshops in 4 or 5 different security related areas; I attended the Quality of Protection (QoP) workshop. I had high hopes it would lead me in a promising direction for my thesis, but alas, it did not.
I had been hoping for and expecting some way to measure the quality of two policies written in the same policy language, or a numeric (or partial ordering) for the expressiveness for two policy languages. Instead, it appeared more focused on software architecture and design, legal implications of quality as demanded by customers and enforced by legislation, and heuristics of (for) vulnerabilities based on attack surfaces (locations where user input may affect the running of a program) backed by known vulnerability databases. There were 9 presenters, and it was interesting to note that 7 were from Europe, and only 2 from the US.
I did learn a few things.
1. Know the definition of a metric. If you have a name for whatever it is you are designing, make sure it doesn’t already have a very specific technical meaning. If so, prepared to get hammered on the issue.
2. Passing the buck does not fly for some people. The comment was made (not at any presentation in particular) that designing a system that depends on a secure OS, and is worthless otherwise, has no advantage to the world, besides a curiosity. I disagree with this statement, and will probably write up some thoughts on the matter later.
One presentation I would like to comment on (and couldn’t during the talk due to time constraints; the more prominent members of the room hold their hands up slightly higher) was one groups paper on metrics for network topologies. The idea was simple: you have a set of servers, firewalls, etc. that provide access to some resources. There is a known attack requiring difficulty d_i from (any, all, unsure) nodes to (any, all, unsure) other nodes. You choose a target, and see how difficult it is to attack. You build attack graphs based on these vulnerabilities, and the topology that maximizes this difficulty is the most secure. Seems simple enough.
I’ve seen attack graphs used before, and have always questioned them. If you know server / service x is vulnerable to attack y, why run it? Why not block it? Unroll and alternative? It seems like have a vulnerability in every system is a bad thing. Then again, I don’t administrate a large network. Perhaps the vulnerabilities are band new and there is no fix. Fine, moving along, the presenter used this to formulate a proof that more diverse networks were not more secure than more homogeneous networks.
The proof went like this:
Take network A with three computers. You can allow them to all be the same. Add a single, different (OS, Hardware) configuration and call this one network B. If we consider all weights to be equal, then network B is less secure, since there are more attack paths an attacker may choose from.
This doesn’t fly with me for many reasons, none of which being that I’m a Mac user and the homogeneous insecurity property has been stated many times, but has never been more true than with Windows (and now the one computer per child project that’s changed names so many times I don’t know what it’s called at the moment). First, he illustrated that a larger network is less secure because it has more attack paths, and the heterogeneity property wasn’t considered at all. Second, he ignored the difficulty of the attacks. My mac is more secure than an average Windows network, and adding it isn’t going to affect their security. Lastly, a diverse network doesn’t have a one-attack fits-all property. In a homogeneous network I only need one attack to compromise all computers, but in a more diverse network, I need technical sophistication in many systems (Windows, Linux, BSD, AIX, etc.) (not to mention a vulnerability to compromise in each) to access everything. If everything was Windows, I need a single (say RPC) bug to take out the entire network.
Well, enough of that, I’m off to day 1 of CCS, where I’ll learn about encryption and intrusion detection and anonymity. Oh my!
