Software Security Professor Clark Thomborson Computer Science Department

Software Security Professor Clark Thomborson Computer Science Department Auckland University NZ Information Security Forum, 1 st March 2001

What do we want from Security? ¨ Our home & office security systems should – allow authorised access, and – prevent unauthorised access. ¨ Security systems are imperfect. They will – deny access to an authorised user (type-1 fault), – allow unauthorised access (type-2 fault), and – misdefine “authorised” or “access” (type-3 fault). ¨ Type-1 and type-2 faults are technical defects in implementation or operation. ¨ Type-3 faults result from misunderstandings, disagreements or ignorance of law, ethics, economics, psychology, politics, technology…

Technological Utopia ¨ Most technologists prefer “open systems”. ¨ Physical analogy: an open door allows access to anyone (who can “walk up to the door”). ¨ Examples of open-access systems: – Free-to-air television allows unrestricted viewing (if you have a TV in a broadcaster’s area); – The world-wide web allows unrestricted viewing (if you have a computer, web-browser software, and an ISP). ¨ Virtues: – extreme simplicity; – no type-2 faults (there are no unauthorised accesses!); – wonderful possibilities for interoperability with other systems.

Type-1 Faults in Open Systems ¨ Open systems may be overloaded, denying access from time to time. ¨ Open systems may be subverted, becoming inoperable from time to time. – A hacker may overwrite my website. (Type-3 fault? I intend my website to allow open-access for viewing, but not open-access for writing!) – My email may contain a virus. (Type-3 fault? I intend my email ‘inbox’ to be open-access for incoming mail, and I like the “easy-open features” of MS OE, but I don’t want to lose control of my computer!)

Type-3 Faults in Open Systems ¨ Economic: donations, advertising revenues, subsidies, or other indirect funding may be insufficient to sustain operations. ¨ Legal: civil (e. g. infringement through MP 3 downloads) or criminal (e. g. supplying pornography). ¨ Ethical: is it appropriate to value our “right to know” above our “right to privacy” and our “right to fair compensation for work”?

Extreme Solutions ¨ Open systems avoid type-2 faults. ¨ Non-responsive systems avoid type-1 faults: they never allow an unauthorised access! ¨ Most well-designed systems have some access restrictions, in three layers: – Prevention, to limit type-1 and type-2 faults. – Detection, to discover faults. – Response, to minimise future faults.

Prevention Techniques (Controls) ¨ There are three main classes of control: – Ethical controls, e. g. “Thou shalt not steal”; – Legal controls, enforced by the state; – Technical controls, enforced by systems design. Example: authentication by passwords, smartcards, or biometrics. ¨ Software security systems allow (and require) new forms of control. ¨ Challenge: the controls in “physical systems” may not have analogues in “virtual systems”.

Ethical Challenges ¨ When I think about copying software or music for a friend, should I pay attention to – “Thou shalt not steal” (Mosaic law) or – “Faith, hope, charity” (Christian virtue)? ¨ We have well-developed ethics to guide our distribution of physical goods: consider water and gold. ¨ We are just beginning to develop an ethics to guide our distribution of software. – Free software:

The Ethics of Free Software John Goerzen ¨ “Proprietary (or closed) software lacks many of the benefits that society has derived from the marvels of the industrial resolution. ” ¨ “When a proprietary project is developed, there is no peer review. ” ¨ “Imagine taking a flight on a jumbo jet designed by only a single person with no safety review from others. ” – http: //www. complete. org/papers/fsethics/

Emergent Ethics of Software Piracy? ¨ “Insider’s entitlement”: if you’re clever enough to find “warez” then you deserve to have it without paying. ¨ However… A “lamer” is someone who “scams codes off others, rather than doing cracks or really understanding the fundamental concepts. ” – The New Hacker’s Dictionary http: //www. tuxedo. org/~esr/jargon

Ethical Analysis of Copyright ¨ Samuel Johnson: “For the general good of the world, ” a writer’s work “should be understood as belonging to the publick. ” (The public’s right to information. ) ¨ Richard Aston: it is “against natural reason and moral rectitude” that a government should “strip businesses of their property after fourteen years. ” (The publisher’s right to compensation. )

A Chinese Ethics of Copyright? ¨ Pirated software is easily available in Hong Kong. ¨ What is “fair compensation for work” in China? – Multinationals might pay USD $0. 11/hour for labour, is this consistent with copyright charges? ¨ The Confucian ethic of “Wen” implies that Mandarins should produce (but not sell) art. ¨ What were Mao’s thoughts on copyright? ¨ China is a signatory to international copyright agreements. The government promises to enforce the agreements, but I wonder about the process of developing an ethic of compliance.

Legal Challenges ¨ Defining the boundaries of “intellectual property” (law of copyright, patent, trademark, trade secret, as applied to software systems and databases). ¨ Jurisdictional disputes: which nation’s laws should apply? ¨ Distinguishing between authorised use and abuse, especially in open systems: 1 million customers/day at a website is ok, but 1 billion “SYN” messages from a virus-swarm is not ok!

Technical Challenge: Ubiquity ¨ World-wide reachability: billions of potential attackers! ¨ A person robbing a physical bank vault must travel to the vault, and transport the spoils. ¨ A person robbing a “virtual bank” may do so from anywhere on the planet. ¨ Virtual systems and virtual attackers lack “physical presence”!

Technical Challenge: Speed ¨ Virtual systems may operate at inhumanly-fast speeds, overrunning our ability to respond to a new type of attack. ¨ How can we “change the locks” on a virtual door within milliseconds of an attack? ? ?

Technical Challenge: Identity ¨ Existing security systems for the physical world rely on millennia of practical and legal experience in establishing identity and responsibility. ¨ “Virtual identity” is in its infancy, although PKI is a good start…

Authorisation in a Virtual World ¨ In a traditional library, a person must walk through a door, in order to view a copy of a book. Technology: locks, library cards, magnetic strips & detectors, . . . ¨ In a virtual library, a person delegates authority to a software proxy. – A 14 -digit code, when typed on my computer keyboard, will authorise my web-browsing software to act as my proxy at my University’s online library. – My proxy can make copies of library materials. – Technology: access codes, passwords, proxies, … – Security issues: unauthorised copying, impersonation. ¨ Type-3 question: What access controls are appropriate for a virtual library?

Technical Challenge: Complexity ¨ A lone attacker can spend a long time analyzing a system before mounting a widespread attack. ¨ The security analyst doesn’t have the luxury of time when analyzing what might be going wrong in a complex system. ¨ A hasty fix may cause more damage than the attack!

Novel Controls on Software Piracy (my research) ¨ We can “obfuscate” software. – Obfuscated software is very difficult for a human to understand, so it resists “reverse engineering”. – Obfuscated software is functionally identical to the unobfuscated version. ¨ Obfuscation will limit unauthorised modification of software. ¨ It is very difficult to prevent unauthorised copying, reuse, and resale of software.

Software Watermarking ¨ We can add indelible “watermarks” or “fingerprints” to software. ¨ Any copy of the software, even after common translations (such as decompiling and recompiling) will carry the watermark. ¨ A watermark can identify the manufacturer. ¨ A fingerprint can identify the licensed owner. ¨ Unauthorised copying can be detected.

Summary ¨ Security systems suffer three types of faults: – Denial of authorised access – Allowing unauthorised access – Inappropriate specification ¨ Access can be controlled by ethical, legal and technological means. ¨ Analogues to physical access controls, such as location, speed and identity, are lacking in software systems. ¨ Software security is in its infancy, however there are partial solutions.