home
projects
people
papers
awards
seminars
visitor information
internal
 
Computer Science Department
U C Davis
Comments
Contact Security Lab
SECURITY LABORATORY SEMINAR
December 2, 1998
1131 ENG II
1:00 ²2:00

Presentation and Outline by Jeff Rowe
Myers Paper: "Subversion: The Neglected Aspect of Computer Security" (Paper)


Subversion:
The Neglected Aspect of Computer Security
June, 1980

Jeff Rowe
Seclab Seminar
Dec. 2, 1998

The Problem

  • Lack of coherent policy
  • Inadequate internal mechanisms
  • False assurances

    •  
Internal Attack Methods
  • Accidental disclosure
  • Deliberate penetration
  • Subversion

    •  
Accidental Disclosure
  • Human or Machine errors
  • Examples:
  • Operator mounts the wrong tape
  • Hardware failure of bounds checking
  • Probabilistic unpredictable events
  • Attacker waits for the right combinations of events to occur

    •  
Penetration
  • Attacker attempts deliberate penetration of the system
  • Uses system "foibles" to circumvent security controls
  • The methods are repeatable and under the control of the attacker

    •  
Profile of a Penetrator
  • Possesses only limited technical knowledge
  • White collar amateur
  • System user rather than a support professional
  • He lacks the ability to think big
Deliberate Subversion
  • Occurs at any phase of the system lifecycle
  • Under the control of highly skilled individuals
  • Uses deliberately crafted and deliberately inserted artifices
The Artifice
  • Trap Doors
  • Under the direct control of an activation stimulus
  • Circumvents normal system control features
  • Trojan Horses
  • Need not circumvent normal system control feature
  • Have both overt and covert functions
Desirable Trap Door Traits
  • Compactness
  • Revision independence
  • Installation independence
  • Untraceable
  • Uniquely triggerable
  • Adaptability
Desirable Trojan Horse Traits
  • Directed lure
  • Compatibility of functions
Obscuring Artifices
  • Modification of object code
  • Abuse of software engineering practices
  • Use assembler languages
  • Strategic placement
  • Using covert channels
Inserting Artifices
  • Design phase
  • Implementation phase
  • Distribution phase
  • Installation phase
  • Production phase
Design Phase Insertion
  • Password procedures
  • Audit procedures
  • Audit everything: Monitor is overwhelmed, hiding artifice traces
  • Audit only user mode actions: Artifice hides below user mode
  • Covert channels
  • Backward compatibility requirements
  • Software packages
  • Peripherals
Implementation Phase Insertion
  • Penetration of the development host
  • Coding and testing
  • Use uneeded global variable attributes
  • Exploit lack of bounds checking
  • Hardware assembly and testing
  • Intercept parts shipments and replace with subverted hardware
  • Clandestine hardware insertion by assembly line personnel
Distribution Phase
  • Performed after the review process is complete
  • Carries the vendor"s stamp of approval
  • Use delivery personnel, mailmen, shipping clerks.
Installation Phase
  • New uncertain environment
  • Security Officers might allow the system to run under less stringent controls for debugging.
Exploiting Artifices
  • Breaking out of a restricted subsystem
  • Signal emission
  • Memory residue
  • Covert channels
  • Denial of service
Minimizing the Risks
  • Restricting insertion opportunities
  • Security clearance for any personnel involved
  • Hardening of manufacturing and development sites
  • Protection of all components from malicious access
  • Restricting exercising opportunities
  • Restricting the retrieval of information
  • Installing a security perimeter
  • Security Kernal