EFTA02409737.pdf

RSACONFERENCE2008 Darwin & Security: What Evolution Tells Us About the Past and Future of Security Paul Kocher I Cryptography Research. Inc. 04K19/08, 84:50em I Session Code: EXP-201 CITTIOGLUIrt RBUJOI RSA 2008 RSACONFERENCE 20 The theory of this talk... • Instead of focusing on isolated events, we can learn more (and make better predictions) by analyzing how attacks and defenses evolve together 2 EFTA_R1_01470124 EFTA02409737 RSACONFERENCE2008 RSACONFERENCE2008 Brief introduction • Focus on real-world cryptographic systems - Systems, architectures, protocols (SSL 3.0...) — Organization & management challenges in security • Highly technical team — High-assurance emphasis — Customers: Financial, technology, entertainment, pay TV, communications, anti-counterfeiting R&D-based business — Services: Design, implementation, evaluation, education - Licensing: Tamper-resistance/DPA, secure ASIC technologies — Systems designed by CRI engineers protect »$100B annually 3 (rattrap., h RSACONFERENCE2008 In this talk, I'll explore security as an evolutionary process between attacker and defender — How defensive measures influence attacks — How attackers gain advantages by manipulating our defensive strategies and perceptions of risk But first a quick look at what's missing from traditional (non-evolutionary) perspectives... 4 buio.,ur limn. EFTA_R1_01470125 EFTA02409738 RSACONFERENCE2008 Traditional security emphasis: -- Vulnerabilities -- • Evaluations = checking for vulnerabilities • Attacking = exploiting vulnerabilities • Responding = patching vulnerabilities • Engineering = introducing vulnerabilities 0 It's all very tidy - Defenders have nice lists of fixed flaws — It appears that progress being made... ... but if this was working. the attackers would be giving up — which isn't happening ... (rnitm; hums a/Leask. Obni$3,1 et tigalea W•43.41091.,011 "LW. Vitt. Ito Vabas**14.114.1 Leery yds Iv Wet. *0313•170 arkoriardotio Oa Wader* 1•011103014) re Snip Web. wrOxne0110214•1 II leant WI* lerMrotbrri eta/Mg 'Up: Web %teas WAS la twork..ofelt9:1011 fif Stoat. We. fetVatleves.03.1090) fir Lorry uple• I. Wed., *01171•411 erfoort•lidit•OvWeders•OrtNni tr WOO. b 41000371 t Swots WebrwvwWn 4•01193441) Sly t4 a•0 onnool W Wawa wet.. ingaleal fineoetaidthi f windows .001Zikal 34C.Ity lade, I, Wag., warriatalt (tbannode. .0 weconntat M. MI $.0,00.1S4 Its Wesi....019.110., V k W * , *sea for Vorstw4 0397)7Th er ievartnisles Vretion *ammo+ a eer., VW** ••• %Wen§ *D10.1%40 t SeterValateintawet101.1100) V upfseek• tvedam or (M42,01 VSeareptedilsOerWedent 0791110.1 ti Swiet• US. I. %Won Pf0M0•15) tarLiela Is warm • (0041644) Cr Sart, Lidis Is Way* gr OPT•4•XOsi Stoat, upclehe Is VIMOM •01140194 EFTA_R1_01470126 EFTA02409739 RSACONFERENCE2008 A simple problem... Q: Suppose a product undergoes two independent security reviews: — Review #1 funds 16 bugs — Review #2 finds 15 new bugs + 2 that were also found by #1 — All of these bugs get patched before the product ships If we assume all bugs are equally easy for reviewers to catch, how many unpatched bugs are expected in the shipped product? ((meantime(' RSACONFERENCE20I Solution: Total bugs: B Review #1 found 16/B Review #2 found 17/B Bugs found by both: B(16/8)(17/B) = 2 Solve for B = 136 Unfixed bugs: B-16-15 (If some bugs are harder to detect than others, the answer becomes larger.) 7 The basic evolutionary cycle... Crown tun New defense Prey (aka defender) Predator (aka attacker) [ New exploit Predators & prey must adapt or die. — Prey die off if they cannot find a workable defense — Predators die off if they can't find workable attacks (although the predators doing pretty well these days.. ) EFTA_R1_01470127 EFTA02409740 RSACONFERENCE2008 RSACONFERENCE2008 An example... website blacklisting • Websites serving exploits get blacklisted — Blocked sites don't propagate malware very well — Selection pressure: attacks that lead to rapid blacklisting are less fit • What are obvious responses? — Infect legitimate (e.g., whitelisted) sites to make them serve malware — Prevent blacklisting services from detecting the malware 9 (tar ur, tarn hymn RSACONFERENCE2008 An example... website blacklisting "random js" attack — Installed on ISP web servers that are serving multiple domains — Dynamically embeds malicious javascript into webpages — Serves out an updateable cocktail of exploits (13 as of Dec. 2007). which install a nasty data harvesting Trojan — 10.000 legitimate domains hosting the attack — The attack is only served out once per visiting IP address (Saxe £ H mere ',brew. see iovn MCAC WOW riven In 2C04) • Widespread use of blacklisting has caused adversaries to: ...focus more on compromising legitimate websites ...use code morphing to randomize their malware ...limit infection attempts to conceal machines serving out malware io Inno.urn Puny EFTA_R1_01470128 EFTA02409741 RSACONFERENCE2008 Evolving resistance Breakable security responses work like antibiotics - Work wonderfully at first - ... so they get used widely - ... creating a huge selection pressure - ... so the pathogens evolve immunity - ... leading to an even nastier problem Classic Prisoners' Dilemma: — With many defenders, unified strategies are impractical - Attacker evolution is inevitable (a few participants denying themselves a benefit won't fix the trend) A— Smart participants take benefits when they can (sown ilium. 11 On-line piracy: Past evolutionary steps • Original problem: Distribution of pirated content • Original response: Prosecution Evolutionary sequence: • Attack #2: Distribute circumvention tools instead pirate copies • Response #2: Digital Millennium Copyright Act (1998) • Attack #3: Napster • Response #3: Litigation (Napster shut down 2001) • Attack #4: Grokster & others test the lines of legality • Response #4: MGM v. Grokster (Grokster shut down 2005) • Attack #5: Rise of BitTorrent • Response #5: Attack trackers (torrent.ls, Demonlod, OINK.ed... In 2007) • Attack #6: Trackers in "safe" jurisdictions; trackerless protocols Vit>DMCA => =>0 ra BitTorrent EFTA_R1_01470129 EFTA02409742 RSACONFERENCE2008 RSACONFERENCE2008 On-line piracy: Predicting future evolution Communication & storage advances. Current efforts by rights holders — Laws requiring increased responses by ISPs — Increased prosecution of individuals — International legal efforts (such as vs. The Pirate Bay) • Which will lead to increased... — Funding of legal counterattacks (such as Sweden's Pirate Party) — Decentralized, anonymous, encrypted file sharing systems • Which will lead to... — Efforts to increase penalties for those who get caught (like mail theft) — Dramatically increased effort to flood pirate networks with fake files and degrade the pirate user experience • Which will lead to... — Sympathy campaigns for targets — Public key reputation systems to authenticate posted files 13 RSACONFERENCE2008 Pay TV signal theft... • Another interesting case study: — Long history of co-evolution — Sophisticated participants — Broad range of strategies attempted — Significant attacks are visible firmo.wir lump 0> New demos Prey (aka defender) Predator (aka attacker) Na exploit EFTA_R1_01470130 EFTA02409743 RSACONFERENCE2008 RSACONFERENCE2 Pay TV signal theft... Example: Popular channels like HBO, ESPN, etc. are not legally available in Canada (don't meet local rules) — Result: Thriving black market (Canadians pay more than what US subscribers pay) — Pirates have made a fortune breaking security • Example: "vcipher" raid = $13M (CDN) cash/checks/bonds + 10,000 access cards + guns... Est revenue: $10M/year — Attacks spill back into the US market Result: Extreme pressure on the technical systems • • , MI Is Et o i 4 • t+rtAiiNia4:‘;:•iii.,i1..... Pay TV signal theft... Numerous examples of evolutionary sequences: - Analog traps. DISCRET, OAK. EBU... attacked using pirate boxes - VideoCipher II. VideoCipher II+ ... attacked by VMS & other attacks - VideoCrypt: • First 5 card gens: Limit voltage/current on 21V external prog pin • 6th card gen: PIC-based message blocker ("Kentucky Fried Chip") • 7th card gen: PIC16C84-based blocker/emulator ("Ho Lee Fook") • 7th card gen: PC-based emulator by Markus Kuhn • 8th card gen: Abandoned. (Same as 7th with different keys) • 9th card gen: Phoenix programs (record & replay activations) • 9th card gen: Full emulator cards (-battery cards*, Dallas 5002FP) • 9th card gen: SEASON programs • 10th card gen: Phoenix programs, battery cards • 11th card gen: Replaced (reason unknown) • 12th card gen: (migration to new architecture) to man hum, EFTA_R1_01470131 EFTA02409744 RSACONFERENCE2008 RSACONFERENCE2OO8 Pay TV Tradition of high hopes then disappointment — New products were expected to work, but didn't — Each product's generation addressed the previous failure, not necessarily logical predictions about future risks - Risks hidden until commercial exploits arose • Humans instinctively obsess over measures to fix past failures - Good vs animal predators - Not against agile attackers. Q: If attacks were less visible, would the first card generation have ever been replaced? a-= 17 (inktom•hi.ifron. RSACONFERENCE2OO8 Detectability & Information asymmetries • As defenders, we optimize based on what we know — Defending is much harder if we don't know the attack — Smart adversaries hide information • Unnecessarily visible attacks (such as viruses/worms that replicate in the wild) are generally the stupidest — Example: Information theft for insider trading • Detected attacks = stopped and/or prosecuted • Strategy: Stealth + narrow targeting — Ex: Anti-virus/blacklisting software is useless • Defender uncertainty: Am I dangerously exposed... or overly paranoid? 18 EFTA_R1_01470132 EFTA02409745 RSACONFERENCE2008 Revisiting the cycle... r Attacker gains if the response takes longer Defender loses if there is no effective fix RSACONFERENCE20 Defender wins if no attack attempted (e.g., system is obscure, doesn't appear to be worth attacking, or defender is lucky) New defense Prey (aka defender) Defender loses if the attack is catastrophic (= detection irrelevant) Predator (aka attacker) New exploit Defender loses if no response because attack is not detected Defender wins if attacker fails (robust design, luck. attacker resource limits...) "Success" is measured as a cost/benefit: ,== • Defender. Cost of defense vs. reduction in loss 19 freKrautr htun • Attacker: Cost/risk of attack vs. benefits A zero-sum game? When attackers are thriving, the burden is felt disproportionally by some targets - Attackers pick easiest victims • If one target becomes harder to catch, predators switch to the easier prey - Attackers expect changes and diversify (Pay TV, credit card fraud, bogus checks. drugs, weapons...) • Consequence #1: Security improvements offer a double reward — Eliminate the problem and competitors face extra predation • Consequence #2: Benefits are local, not systemic — Fraud is redistributed, but the impact on the predator is often small (The delta between the original attack and the next-best alternative) •r e...1111r.; I r it T C / A i n 74 . • • * • • 4 • (voltam*, hum) - • Hungry lions stalking zebra a ric impala in the Okavanco Delta 20 EFTA_R1_01470133 EFTA02409746 RSACONFERENCE2008 vpm. In-SOO , Many strategies can work, but in all cases the long-term survival of prey species depends on evolving as predators become more effective [We're the prey] • -4:7,1-wir4V t. EFTA_R1_01470134 EFTA02409747 RSACONFERENCE2008 "If the bad guys appreciated how much effort we put into patching, do you think they might stop compromising our system?" 23 RSACONFERENCE2008 Evolving faster & better... • Genetic improvements happen gradually - Less fit organisms don't propagate • A few species specialize in a much faster way to adapt — Learning 24 Nino.inututh. EFTA_R1_01470135 EFTA02409748 RSACONFERENCE2008 RSACONFERENCE2 Address information asymmetries that limit evolution Attackers hide information to prevent good strategic decisions • Many examples - Britain & US lives sacrificed to keep Germany from knowing the Enigma was broken • But adversaries often leave hints... - Germans knew U-boat losses were inexplicably high, but had too much faith in the Enigma — Is card use at certain merchants linked to subsequent fraud? — Is stock trading correlated to pending M&A announcements? — Are solicitations from customers being sent to addresses in your mailing list? (Tricky to distinguish clever inferences from stolen info!) 26 EFTA_R1_01470136 EFTA02409749 RSACONFERENCE2008 Example #1: Academy screeners... • Academy members need to see movies so they can vote for them - Problem: Rampant piracy of screeners — Too expensive & difficult to make uncopyable • Solution: Forensic marking ishr — Unique identifying marks in each original - Enables copies to be traced to the Academy member • Extra information forced the predators into the open — Today, movies still get pirated, but the sources get shut off quickly (+ prosecuted if appropriate, e.g. Russell Sprague) - Successful: Piracy from Academy screeners is now self-limiting Umixam,hvom RSACONFERENCE2008 Example #2: Honeypots, etc. • Problem: How to tell if outside attackers have breached a network - Approach: Put a honeypot on the network that will tempt adversaries who have breached the perimeter & alert you • If it is raided: proof something is horribly wrong • Useful datapoint (though not conclusive) if not breached Related approaches for other problems, e.g.: — Tempting URL in comments in sensitive source code — Traceable addresses in mailing list copies Unwovhmoy 28 EFTA_R1_01470137 EFTA02409750 RSACONFERENCE2008 RSACONFERENCE2008 Allocate resources to maximize the ability to evolve — and limit adversaries' ability 29 (inktom•hi.ifron. RSACONFERENCE20O8 How should resources be allocated? Option #1: Invest in many incremental responses: — Each provides some temporary relief... but will never 'win' — Pros: Disrupts pirate viewers, low-cost, easy to develop — Cons: Gets broken quickly; continuous investment required Option #2: Invest in a major defensive upgrade — The best strategy if the attackers can be driven away to other targets — Pros: Potential to fundamentally change the situation — Cons: Long lead time. more expensive, requires skilled engineering Game theory problem — right answer depends on risk model - Non-evolutionary models biased toward incremental approaches - Evolution-aware models tend to favor decisive efforts, if available • Iterative processes train adversaries + can increase attacker profits (= stronger attacker next time) sa • If attacker dies or specializes in other prey, a broad range of -=-=- risks decrease (e.g., if attack infrastructure is dismantled, it 30 0,„"„,,h,„,0 won't be there to exploit future vulnerabilities) EFTA_R1_01470138 EFTA02409751 RSACONFERENCE2008 'CONFERENCE? Contrasting strategies we've built and deployed Self-Protecting Digital Content Renewable anti-piracy system: Enable defenses to evolve - Integrates security software with content - Each disc./title carries security code for its own playback - Enables new discs to carry new countermeasures - Complements (imperfect) defenses - Deployed in Blu-ray (BD+) CryptoFirewall Tamper-resistant silicon core: Goal to completely end attacks — Typically manufactured as part of a larger ASIC — Intra-chip security perimeter: secure even if rest of chip fails — Far stronger and more cost- effective than general purpose chips (e.g.. smart cards) — 50M+ pay N chips deployed (t. , •:4 ! Utilize indirect information effectively EFTA_R1_01470139 EFTA02409752 RSACONFERENCE2008 Organizational perspective • How well does your organization learn from past failures? — Example — airplane crashes - Good example: FAA - Mediocre: TSA • Immediate causes are usually obvious — A specific vulnerability — Patching the immediate cause wastes a valuable opportunity • The proximal and root causes are most important — Poor communication between engineering groups? — Critical design tasks performed by unassisted novices? — Insufficient security budget? etc. Itamorn Monti Organizational perspective • Different organizations have different problems - Smaller organizations • Challenges tend to be lack of infrastructure, resources — Bigger organizations: • Can develop internal expertise by exposing a few people to problems across the organization • ... but tend to overload people with policies & politics • ... and consequences of failure are larger Inno.onn lump 34 EFTA_R1_01470140 EFTA02409753 RSACONFERENCE2008 RSACONFERENCE2008 Consistency vs. flexibility Policy compliance can be mind-numbing - ISO 9000, SOX, HIPAA, — Encourage uniformity, limits flexibility — Policy overhead distracts (or drives away) the best people A question of balance... - Security policies cannot substitute for common sense or hiring smart trustworthy people — Carelessness about consistency are also creates risk 35 nructm, Mom. "Look at the bright side. The total network meltdown will free the IT department to focus on our core mission: audit paperwork." 36 EFTA_R1_01470141 EFTA02409754 RSACONFERENCE2008 RSACONFERENCE2 Put yourself in the adversary's shoes Think a few moves ahead • How will the adversary respond? — What will be the new optimal strategy for the adversary? • Will this be better or worse for me than the old attack? — Will the adversary give up? Attack the competition? • How will the my organization respond to the updated attack? - Will people be surprised? Upset? — Do we have the next response planned? How long will it take to roll out? What will it cost? ... 2-- Itoto.umhtutto EFTA_R1_01470142 EFTA02409755 RSACONFERENCE2008 Trying on a black hat Internal "black hat" security brainstorming — Identify how your team would attack your own systems if they were disgruntled employees, competitors, extortionists, etc... — If an attack succeeded, what signs could observe that would suggest a breach? — What defensive upgrades could address the risks? If these were deployed, how would adversaries adapt? • Offer small prizes for the best insights — Goal: Encourage team to stop focusing on the why systems are strong, and instead ask how they can be made to fail Closing thoughts dJ EFTA_R1_01470143 EFTA02409756 RSACONFERENCE2008 On "Intelligent Design' • Can intelligent people build a complex system and get it right? — Doubtful... Windows... Linux... FreeBSD... etc. = too many interactions, too complex to secure reliably • Yet we can build complex systems that can evolve in response to new threats — Windows update, SPDC... Dn. ic oet•in. ma:rrv1.u, . Ow.). 00alfl. mg•tdo• thy ri.mg thAp nuietial .?•.••1•11.< oppo,aned -Pal an.pn nupd. aclulp. ,,,,, Jl. ,t, ,,Icrol ippeosa Al aM (0.np &rut of f doo flowerafaft. ..lotch 2k 1M11 Perhaps our best hope is to harness evolutionary processes to create systems that meet our needs... L. RSACONFERENCE2008 A thought experiment on factoring... If we want to evolve the ultimate factoring algorithm... O Create a random algorithm 0 Create some medium-sized random test integers O Test whether if algorithm can factor the test integers quickly • If not, randomly modify the algorithm and go to step 2. O Stop Even a completely dumb process will eventually stumble upon the optimal factoring algorithm, but smarter Lapproaches should yield results faster (1O,0OO1, h.f /110 42 EFTA_R1_01470144 EFTA02409757 RSACONFERENCE2008 OVPI0GRAPH, Rtst ARCH tan . at implemen asic x entities that study thetde find the answer, stop the siliAlatio RSACONFERENCE20 For a copy of my slides: Paul Kocher paul@cryptography.com We're hiring... Ask me or visit www.cryptography.com/jobs EFTA_R1_01470145 EFTA02409758