Strategies in Using Source Material? Outcomes addressed in this activity:? Unit Outcomes:? Apply introductory skills with the online library. Prepare correctly-written quotes, paraphra

20 COMMUNICATIONS OF THE ACM | NOVEMBER 2016 | VOL. 59 | NO. 11

V viewpoints

Privacy and Security Cyber Defense Triad for Where Security Matters Dramatically more trustworthy cyber security is a choice.

confident that from the standpoint of technology there is a good chance for secure shared systems in the next few years. However, from a practical stand- point the security problem will remain as long as manufacturers remain com- mitted to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs, and as long as the illusory results of penetra- tion teams are accepted as a demon- stration of computer system security, proper security will not be a reality.”8

Current Approaches Aren’t Working Our confidence in “security kernel” technology was well founded, but I never expected decades later to find the same denial of proper security so widespread. Although Forbes reports spending on information security reached $75 billion for 2015, our ad- versaries are still greatly outpacing us. With that large financial incentive for vested interests, resources are mostly devoted to doing more of what we knew didn’t work then, and still doesn’t.

I N THE EARLY days of computers, security was easily provided by physical isolation of ma- chines dedicated to security do- mains. Today’s systems need

high-assurance controlled sharing of resources, code, and data across domains in order to build practical systems. Current approaches to cyber security are more focused on saving money or developing elegant techni- cal solutions than on working and protecting lives and property. They largely lack the scientific or engi- neering rigor needed for a trustwor- thy system to defend the security of networked computers in three dimen- sions at the same time: mandatory ac- cess control (MAC) policy, protection against subversion, and verifiability— what I call a defense triad.

Fifty years ago the U.S. military rec- ognized subversiona as the most seri- ous threat to security. Solutions such as cleared developers and technical

a As characterized by Anderson, et al.,2 “System subversion involves the hiding of a software or hardware artifice in the system that creates a ‘backdoor’ known only to the attacker.”

development processes were neither scalable nor sustainable for advanc- ing computer technology and growing threats. In a 1972 workshop, I pro- posed “a compact security ‘kernel’ of the operating system and supporting hardware—such that an antagonist could provide the remainder of the sys- tem without compromising the protec- tion provided.” I concluded: “We are

DOI:10.1145/3000606 Roger R. Schell

The security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security.

NOVEMBER 2016 | VOL. 59 | NO. 11 | COMMUNICATIONS OF THE ACM 21

viewpoints

V I

M A

G E

B Y

A L

I C

I A

K U

B I

S T

A /A

N D

R I

J B

O R

Y S

A S

S O

C I

A T

E S

of “malware,” a preferred attack for many of the most serious breaches. An IBM executive a few years ago de- scribed the penetrate-and-patch cycle as “an arms race we cannot win.”5

Why does cyber security seem so difficult? Today’s emphasis on sur- veillance and monitoring tries to discover that an adversary has found and exploited a vulnerability to pen- etrate security and cause damage—or worse, subverted the security mecha- nism itself. Then that hole is patched. But science tells us trying to make a system secure in this way is effectively non-computable. Even after fixing known flaws, uncountable flaws re- main. Recently, Steven Lipner, for- merly of Microsoft, wrote a Commu- nications Privacy and Security column advocating technical “secure develop- ment processes.”6 But, similar to sur- veillance, “as new classes of vulner- abilities … are discovered, the process must be updated.”

This paradigm has for decades been known as “penetrate and patch.” The defender needs to find and patch most (if not all) of the holes, while the adver- sary only needs to find and exploit one

remaining hole. Even worse, a witted adversary has numerous opportunities to subvert or sabotage a computer’s protection software itself to introduce insidious new flaws. This is an example

Figure 1. Cyber security defense triad.

V e

rifi a

b ility

Secure Systems

L im

it S u

b ve

rsio n

M a

n d

a to

ry A C

˲ Subversion is tool for choice for witted adversary

˲ Only label-based MAC policy can enforce secure information flow

˲ Security kernel (reference monitor) is only known verifiable protection technology

22 COMMUNICATIONS OF THE ACM | NOVEMBER 2016 | VOL. 59 | NO. 11

viewpoints

These systems did not survive long after the end of the Cold War, and much of the “institutional memory” is now lost. But fortunately, some security kernel products were main- tained and this original equipment manufacturer (OEM) technology is still commercially available today. And many commodity processors (for example, those that implement the Intel IA32 architecture) still include the hardware segmentation and pro- tection rings essential to efficient se- curity kernels. High assurance of no security patches is truly a paradigm shift. What alternative approach comes close?

Mark Heckman of the University of San Diego and I recently published a paper focused on techniques for applying those Reference Monitor properties, leveraging the fact that “associated systematic security engi- neering and evaluation methodology was codified as an engineering stan- dard in the Trusted Computer System Evaluation Criteria (TCSEC)”4 created by NSA. However, the TCSEC didn’t in- clude administration and acquisition mandates to actually use this knowl- edge to create a market in the face of entrenched vested interests. I refer in- terested readers to our paper for more details on the triad components sum- marized here.

˲ Mitigating software subversion. Several cyber security professionals have concluded that subversion “is the attack of choice for the professional attacker.”2 The primary means for software subversion are Trojan horses and trap doors (commonly called mal- ware). Under the seven well-defined se- curity classes in the TCSEC, only Class A1 systems substantially deal with the problems of subversion.

˲ Mandatory access control (MAC) policy. The reference monitor is fun- damentally about access control. All access control policies fall into two classes: Discretionary Access Control (DAC) and MAC. Only a label-based MAC policy can, with high assurance, enforce secure information flow. Even in the face of Trojan horses and other forms of malicious software, MAC policies can protect against unau- thorized modification of information (integrity), as well as unauthorized disclosure (confidentiality).

Cyber Defense Triad for Secure Systems All three defense triad components are critical for defense of both confiden- tiality and integrity of information— whether the sensitive information is personally identifiable information, financial transactions (for example, credit cards), industrial control sys- tems in the critical infrastructure, or something else that matters. Although not sufficient for perfect security, all three are practically necessary. These dimensions can be thought of as three strong “legs of a stool,” as illustrated in Figure 1.

Security for cyber systems built without a trustworthy operating sys- tem (OS) is simply a scientific impos- sibility. NIST has emphasized, “se- curity dependencies in a system will form a partial ordering … The partial ordering provides the basis for trust- worthiness reasoning.”3 Proven sci- entific principles of the “Reference Monitor” model enable engineering a verifiably secure OS on which we can build secure cyber systems.

For a Reference Monitor implemen- tation to work, it must ensure three fundamental properties. First, it must validate enforcement of the security policy for every reference to informa- tion. Second, it must be tamper-proof, that is, it cannot be subverted. Lastly, it must be verifiable, so we have high

assurance it always works correctly. These three fundamental properties are directly reflected in the cyber de- fense triad.

As illustrated in Figure 2, a Refer- ence Monitor controls access by sub- jects to information in objects. A secu- rity kernel is a proven way to implement a reference monitor in a computer. Whenever a user (or program acting on behalf of a user) attempts to access in- formation in the computer system, the Reference Monitor checks the user’s clearance against a label indicating the sensitivity of that class of data. Only au- thorized users are granted access.

Applying the Cyber Defense Triad The flawed foundation of current sys- tems is evident in the unending stream of OS security patches that are today considered part of best practices. But we can choose a better alternative. At least a half-dozen security kernel- based operating systems have been produced that ran for years (even de- cades) in the face of nation-state ad- versaries without a single reported security patch.7 These successes were not unexpected. As a 1983 article put it, “the security kernel approach provides controls that are effective against most internal attacks—including some that many designers never consider.”1 That is a fundamentally different result than penetrate and patch.

Figure 2. Reference monitor.

˲ A subject security attributes, for example, label for clearance

˲ Object security attributes, for example, label for classification

˲ Segments ˲ Directories ˲ Passive data

repositories

˲ Record of all security- related user events

˲ Active entities ˲ User Processes ˲ Gain access to

information on user’s behalf

Authorization Database

Reference MonitorSubjects Objects

Audit Trail

NOVEMBER 2016 | VOL. 59 | NO. 11 | COMMUNICATIONS OF THE ACM 23

viewpoints

Lipner asserts that this reference monitor approach is “not able to cope with systems large enough to be use- ful.”6 Heckman and I respond that “this quite widely-spread assertion has been repeatedly disproven by counter- examples from both real systems and research prototypes.”4 The paper gives numerous examples of how, by leverag- ing MAC, complex integrated systems can be composed from logically distinct hardware and software components that may have various degrees of secu- rity assurance or no assurance at all.

˲ Verifiability. The Reference Moni- tor implementation defined as a securi- ty kernel is the only proven technology for reliably achieving verifiable protec- tion. It does not depend on unproven elegant technical solutions, such as open source for “source code inspec- tion” or “gratuitous formal methods.”2 Security kernels have been shown to be effective for systematic, repeatable, systems-oriented security evaluation of large, distributed, complex systems.

Lipner in his paper6 asks a critical, but largely unanswered, question: How can customers have any assurance that they are getting a secure system? His answer is limited to development process improvements that don’t ad- dress fundamentally what it means for a system to be “secure.” Heckman, by contrast, details how the Reference Monitor approach, with its strong defi- nition of “secure system,” can answer precisely that question.4

What Should We Do Then? It can be expected to take 10–15 years and tens of millions of dollars to build and evaluate a high-assurance secu- rity kernel. However, once completed, a general-purpose security kernel is highly reusable for delivering a new secure system in a couple of years. It is economical to use the same ker- nel in architectures for a wide variety of systems, and the TCSEC’s Ratings Maintenance Phase (RAMP) allows the kernel to be re-verified using the latest technology, without the same invest- ment as the original evaluation. Heck- man summarizes several real-world ex- amples where, “This is demonstrated by OEM deployments of highly secure systems and products, ranging from enterprise ‘cloud technology’ to gener- al-purpose database management sys-

tems (DBMS) to secure authenticated Internet communications, by applying commercially available security kernel technology.”4 Heckman additionally describes completed research proto- types in the past few years for things like source-code compatible secure Linux and a standards-compliant high- ly secure Network File Service (NFS).

A first necessary step is to identify where high-assurance security mat- ters for a system. As just one example, several U.S. government leaders have expressed concern that we face an exis- tential cyber security threat to industri- al control systems (ICS) in the critical infrastructure, such as the power grid. Use of an integrity MAC security ker- nel can within a couple of years make our critical infrastructure dramatically more trustworthy. The U.S. government has a unique opportunity to change the cyber security game and should aggres- sively engage ICS manufacturers by sponsoring prototypes and providing a market using proven commercial secu- rity kernel OEM technology. Otherwise, costs may soon be measured in lives in- stead of bits or dollar signs.

References 1. Ames Jr, S.R., Gasser, M., and Schell, R.R. Security

kernel design and implementation: An introduction. Computer 16, 7 (1983), 14–22.

2. Anderson, E.A., Irvine, C.E., and Schell, R.R. Subversion as a threat in information warfare. J. Inf. Warfare 3 (2004), 51–64.

3. Clark, P., Irvine, C. and Nguyen, T. Design Principles for Security. NIST Special Publication 800-160, September 2016, pp. 207-221; http://csrc.nist.gov/publications/ drafts/800-160/sp800_160_final-draft.pdf

4. Heckman, M.R. and Schell, R.R. Using proven reference monitor patterns for security evaluation. Information 7, 2 (Apr. 2016); http://dx.doi.org/10.3390/ info7020023

5. Higgins, K.J. IBM: The security business ‘has no future.’ Information Week Dark Reading, (4/10/2008); http://www.darkreading.com/ibm-the-security- business-has-no-future/d/d-id/1129423

6. Lipner, S.B. Security assurance. Commun. ACM 58, 11 (Nov. 2015), 24–26.

7. Schell, R.R. A University Education Cyber Security Paradigm Shift. Presented at the National Initiative for Cybersecurity Education (NICE), (San Diego, CA, Nov. 2015); https://www.fbcinc.com/e/nice/ncec/ presentations/2015/Schell.pdf

8. Schell, R.R., Downey, P.J. and Popek, G.J. Preliminary Notes on the Design of Secure Military Computer Systems. ESD, Air Force Systems Command, Hanscom AFB, MA. [MCI-73-1], Jan 1973; http://csrc. nist.gov/publications/history/sche73.pdf

Roger R. Schell ([email protected]) is president of Aesec Corporation, and is currently a Distinguished Fellow at the University of San Diego Center for Cyber Security Engineering and Technology. Previously he was a Professor of Engineering Practice at University of Southern California.

The author wishes to thank Michael J. Culver, Mark R. Heckman, and Edwards E. Reed for their valuable feedback on an early draft of this Viewpoint.

Copyright held by author.

Calendar of Events November 2–4 VRST ‘16: 22th ACM Symposium on Virtual Reality Software and Technology Garching bei München, Germany, Co-Sponsored: ACM/SIG, Contact: Gudrun J. Klinker, Email: [email protected]

November 6–9 ISS ‘16: Interactive Surfaces and Spaces Surfaces Niagara Falls, ON, Canada, Sponsored: ACM/SIG, Contact: Mark Hancock, Email: [email protected]

November 6–9 SIGUCCS ‘16: ACM SIGUCCS Annual Conference Denver, CO, Sponsored: ACM/SIG, Contact: Laurie J. Fox, Email: [email protected]

November 7–10 ICCAD ‘16: IEEE/ACM International Conference on Computer-Aided Design Austin, TX, Co-Sponsored: Other Societies, Contact: Frank Liu, Email: [email protected]

November 12–16 ICMI ‘16: International Conference on Multimodal Interaction Tokyo, Japan, Sponsored: ACM/SIG, Contact: Yukiko Nakano, Email: [email protected]

November 13–16 GROUP ‘16: 2016 ACM Conference on Supporting Groupwork Sanibel Island, FL, Sponsored: ACM/SIG, Contact: Stephan Lukosch, Email: [email protected]

Copyright of Communications of the ACM is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.

20 COMMUNICATIONS OF THE ACM | NOVEMBER 2016 | VOL. 59 | NO. 11

V viewpoints

Privacy and Security Cyber Defense Triad for Where Security Matters Dramatically more trustworthy cyber security is a choice.

confident that from the standpoint of technology there is a good chance for secure shared systems in the next few years. However, from a practical stand- point the security problem will remain as long as manufacturers remain com- mitted to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs, and as long as the illusory results of penetra- tion teams are accepted as a demon- stration of computer system security, proper security will not be a reality.”8

Current Approaches Aren’t Working Our confidence in “security kernel” technology was well founded, but I never expected decades later to find the same denial of proper security so widespread. Although Forbes reports spending on information security reached $75 billion for 2015, our ad- versaries are still greatly outpacing us. With that large financial incentive for vested interests, resources are mostly devoted to doing more of what we knew didn’t work then, and still doesn’t.

I N THE EARLY days of computers, security was easily provided by physical isolation of ma- chines dedicated to security do- mains. Today’s systems need

high-assurance controlled sharing of resources, code, and data across domains in order to build practical systems. Current approaches to cyber security are more focused on saving money or developing elegant techni- cal solutions than on working and protecting lives and property. They largely lack the scientific or engi- neering rigor needed for a trustwor- thy system to defend the security of networked computers in three dimen- sions at the same time: mandatory ac- cess control (MAC) policy, protection against subversion, and verifiability— what I call a defense triad.

Fifty years ago the U.S. military rec- ognized subversiona as the most seri- ous threat to security. Solutions such as cleared developers and technical

a As characterized by Anderson, et al.,2 “System subversion involves the hiding of a software or hardware artifice in the system that creates a ‘backdoor’ known only to the attacker.”

development processes were neither scalable nor sustainable for advanc- ing computer technology and growing threats. In a 1972 workshop, I pro- posed “a compact security ‘kernel’ of the operating system and supporting hardware—such that an antagonist could provide the remainder of the sys- tem without compromising the protec- tion provided.” I concluded: “We are

DOI:10.1145/3000606 Roger R. Schell

The security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security.

NOVEMBER 2016 | VOL. 59 | NO. 11 | COMMUNICATIONS OF THE ACM 21

viewpoints

V I

M A

G E

B Y

A L

I C

I A

K U

B I

S T

A /A

N D

R I

J B

O R

Y S

A S

S O

C I

A T

E S

of “malware,” a preferred attack for many of the most serious breaches. An IBM executive a few years ago de- scribed the penetrate-and-patch cycle as “an arms race we cannot win.”5

Why does cyber security seem so difficult? Today’s emphasis on sur- veillance and monitoring tries to discover that an adversary has found and exploited a vulnerability to pen- etrate security and cause damage—or worse, subverted the security mecha- nism itself. Then that hole is patched. But science tells us trying to make a system secure in this way is effectively non-computable. Even after fixing known flaws, uncountable flaws re- main. Recently, Steven Lipner, for- merly of Microsoft, wrote a Commu- nications Privacy and Security column advocating technical “secure develop- ment processes.”6 But, similar to sur- veillance, “as new classes of vulner- abilities … are discovered, the process must be updated.”

This paradigm has for decades been known as “penetrate and patch.” The defender needs to find and patch most (if not all) of the holes, while the adver- sary only needs to find and exploit one

remaining hole. Even worse, a witted adversary has numerous opportunities to subvert or sabotage a computer’s protection software itself to introduce insidious new flaws. This is an example

Figure 1. Cyber security defense triad.

V e

rifi a

b ility

Secure Systems

L im

it S u

b ve

rsio n

M a

n d

a to

ry A C

˲ Subversion is tool for choice for witted adversary

˲ Only label-based MAC policy can enforce secure information flow

˲ Security kernel (reference monitor) is only known verifiable protection technology

22 COMMUNICATIONS OF THE ACM | NOVEMBER 2016 | VOL. 59 | NO. 11

viewpoints

These systems did not survive long after the end of the Cold War, and much of the “institutional memory” is now lost. But fortunately, some security kernel products were main- tained and this original equipment manufacturer (OEM) technology is still commercially available today. And many commodity processors (for example, those that implement the Intel IA32 architecture) still include the hardware segmentation and pro- tection rings essential to efficient se- curity kernels. High assurance of no security patches is truly a paradigm shift. What alternative approach comes close?

Mark Heckman of the University of San Diego and I recently published a paper focused on techniques for applying those Reference Monitor properties, leveraging the fact that “associated systematic security engi- neering and evaluation methodology was codified as an engineering stan- dard in the Trusted Computer System Evaluation Criteria (TCSEC)”4 created by NSA. However, the TCSEC didn’t in- clude administration and acquisition mandates to actually use this knowl- edge to create a market in the face of entrenched vested interests. I refer in- terested readers to our paper for more details on the triad components sum- marized here.

˲ Mitigating software subversion. Several cyber security professionals have concluded that subversion “is the attack of choice for the professional attacker.”2 The primary means for software subversion are Trojan horses and trap doors (commonly called mal- ware). Under the seven well-defined se- curity classes in the TCSEC, only Class A1 systems substantially deal with the problems of subversion.

˲ Mandatory access control (MAC) policy. The reference monitor is fun- damentally about access control. All access control policies fall into two classes: Discretionary Access Control (DAC) and MAC. Only a label-based MAC policy can, with high assurance, enforce secure information flow. Even in the face of Trojan horses and other forms of malicious software, MAC policies can protect against unau- thorized modification of information (integrity), as well as unauthorized disclosure (confidentiality).

Cyber Defense Triad for Secure Systems All three defense triad components are critical for defense of both confiden- tiality and integrity of information— whether the sensitive information is personally identifiable information, financial transactions (for example, credit cards), industrial control sys- tems in the critical infrastructure, or something else that matters. Although not sufficient for perfect security, all three are practically necessary. These dimensions can be thought of as three strong “legs of a stool,” as illustrated in Figure 1.

Security for cyber systems built without a trustworthy operating sys- tem (OS) is simply a scientific impos- sibility. NIST has emphasized, “se- curity dependencies in a system will form a partial ordering … The partial ordering provides the basis for trust- worthiness reasoning.”3 Proven sci- entific principles of the “Reference Monitor” model enable engineering a verifiably secure OS on which we can build secure cyber systems.

For a Reference Monitor implemen- tation to work, it must ensure three fundamental properties. First, it must validate enforcement of the security policy for every reference to informa- tion. Second, it must be tamper-proof, that is, it cannot be subverted. Lastly, it must be verifiable, so we have high

assurance it always works correctly. These three fundamental properties are directly reflected in the cyber de- fense triad.

As illustrated in Figure 2, a Refer- ence Monitor controls access by sub- jects to information in objects. A secu- rity kernel is a proven way to implement a reference monitor in a computer. Whenever a user (or program acting on behalf of a user) attempts to access in- formation in the computer system, the Reference Monitor checks the user’s clearance against a label indicating the sensitivity of that class of data. Only au- thorized users are granted access.

Applying the Cyber Defense Triad The flawed foundation of current sys- tems is evident in the unending stream of OS security patches that are today considered part of best practices. But we can choose a better alternative. At least a half-dozen security kernel- based operating systems have been produced that ran for years (even de- cades) in the face of nation-state ad- versaries without a single reported security patch.7 These successes were not unexpected. As a 1983 article put it, “the security kernel approach provides controls that are effective against most internal attacks—including some that many designers never consider.”1 That is a fundamentally different result than penetrate and patch.

Figure 2. Reference monitor.

˲ A subject security attributes, for example, label for clearance

˲ Object security attributes, for example, label for classification

˲ Segments ˲ Directories ˲ Passive data

repositories

˲ Record of all security- related user events

˲ Active entities ˲ User Processes ˲ Gain access to

information on user’s behalf

Authorization Database

Reference MonitorSubjects Objects

Audit Trail

NOVEMBER 2016 | VOL. 59 | NO. 11 | COMMUNICATIONS OF THE ACM 23

viewpoints

Lipner asserts that this reference monitor approach is “not able to cope with systems large enough to be use- ful.”6 Heckman and I respond that “this quite widely-spread assertion has been repeatedly disproven by counter- examples from both real systems and research prototypes.”4 The paper gives numerous examples of how, by leverag- ing MAC, complex integrated systems can be composed from logically distinct hardware and software components that may have various degrees of secu- rity assurance or no assurance at all.

˲ Verifiability. The Reference Moni- tor implementation defined as a securi- ty kernel is the only proven technology for reliably achieving verifiable protec- tion. It does not depend on unproven elegant technical solutions, such as open source for “source code inspec- tion” or “gratuitous formal methods.”2 Security kernels have been shown to be effective for systematic, repeatable, systems-oriented security evaluation of large, distributed, complex systems.

Lipner in his paper6 asks a critical, but largely unanswered, question: How can customers have any assurance that they are getting a secure system? His answer is limited to development process improvements that don’t ad- dress fundamentally what it means for a system to be “secure.” Heckman, by contrast, details how the Reference Monitor approach, with its strong defi- nition of “secure system,” can answer precisely that question.4

What Should We Do Then? It can be expected to take 10–15 years and tens of millions of dollars to build and evaluate a high-assurance secu- rity kernel. However, once completed, a general-purpose security kernel is

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.