NSPW 2001 Conference Report
Cloudcroft, New Mexico, USA, September 10-13, 2001
Review by Mary Ellen Zurko
October 2, 2001
NSPW 2001 Conference Report New Security Paradigms Workshop was held September 10 - 13, 2001 at Cloudcroft, New Mexico, USA. It was sponsored by the Association for Computing Machinery with Support from the Department of Defense, USA, and SEI/CERT. The first session began on Tuesday, September 11, after a recognition of the tragedy of the attacks, and various participants needs to contact loved ones.
Session 1, Creative Mathematics, was chaired by Mike Williams.
The first paper was "Computational Paradigms and Protection" by Simon N. Foley and John P. Morrison. Simon presented. Their security model uses the sequencing control in parallel and concurrent programming to specify access control over the states in a transaction. In the traditional imperative paradigm, the programmer must explicitly specify the sequencing constraints on operations. The availability and coercion paradigms take a sequence of operations and drive it from either the beginning or the end result. In the availability paradigm, operations run when their input data is available. In the coercion paradigm, operations are executed when their results are needed. The authors suggest that casting protection in the availability or coercion styles provides the basis for more flexible and distributed control over the sequencing and mediation of the operations. They use the Condensed Graph model to specify the flow and triggers. An operation may be scheduled to a particular security domain if the domain is permitted to execute the operation. The example equates these permissions with user roles. A tenaciously protected operation will only produce results in an appropriate domain, while a fragilely protected operation may produce null if it is not in an appropriate domain when it fires. They have a prototype implementation of this system.
The next paper was "Secure Multi-Party Computation Problems and their Applications: A Review and Open Problems" by Wenliang (Kevin) Du and Mikhail J. Attalah. Kevin presented. After an overview of what Secure Multi-party Computation (SMC) is an the related work in the area, Kevin discussed their framework for identifying and defining SMC problems for a spectrum of computation domains. Their transformation framework systematically transforms normal computations into SMC computations. Computations can be multi-input (often two) or single-input. The inputs are considered private, and sometimes the results are too. In the latter case, some participating party is not allowed to know the results. The SMC model assumes two parts of input, coming from different two different parties, each of whom is keeping their input private. In the single input case, the input is divided into two data sets. In the homogeneous transformation, each data item maintains its atomicity. In the heterogeneous transformation, each data item is split in two. Problems identified with this framework include privacy-preserving (PP) database queries, PP data mining, PP intrusion detection, PP statistical analysis, PP geometric computations, and PP scientific computations.
The next paper was "Model-Carrying Code (MCC): A New Paradigm for Mobile-Code Security" by R. Sekar, C.R. Ramakrishnan, I.V. Ramakrishnan and S.A. Smolka. Sekar presented. The primary motivation is that with existing approaches, neither the producer nor the consumer can unilaterally determine the security needs of a mobile program. This vision includes consumers refining their policies when mismatches occur. In addition to conformance with the consumer's policy, their approach checks if the model represents a safe approximation of program behavior, based on the particular execution of the program at the consumer's site. With MCC, mobile code comes equipped with an expressive yet concise model of the code's security relevant behavior. The code can be restricted to that model, as accepted by the consumer, when it runs. Alternatively, the consumer can trust a signature over the code and model, or rely on proof-carrying code to check the code against the model. The approach is applicable to code written in C or C++; it is not language-specific or limited to type-safe languages. It is an alternative to approaches such as proof-carrying code and Java security. They use extended finite-state automata to represent program models. They have looked at compile-time analysis and machine learning to generate the models.
Session 2: Survivability, was chaired by Abe Singer.
The first paper of that session was "Heterogeneous Networking - A New Survivability Paradigm" by Yonguang Zhang, Son K. Dao, Harrick Vin, Lorenzo Alvisi, and Wenke Lee. Yongguang presented. Their paper proposes systematically increasing a network's heterogeneity to improve a its defense capabilities, without sacrificing interoperability. Their diversity space diagram organizes functional capabilities of a network (protocols, routers) along the dimensions of operating systems, communication medium and service model. The distance between any two elements would represent their vulnerability to attacks. A key question is how many elements a survivable network needs to support. In principle, composing different selections of network elements from each functional capability layer can yield different versions of an end-to-end network service. Their methodology supports network reconstitution through heterogeneous replication and dynamic reconfiguration. IDS reports drive the dynamic behavior. As an example of their heterogeneous service model, they show the standard client/server WWW application over the Internet being replicated with a broadcast/filter information dissemination application over a satellite network. Discussion points that will be integrated into the final paper include problems with single physical points of failure (the dreaded back hoe attack) and studies that show that different programmers given the same problem produce solutions with overlapping vulnerabilities.
The next paper was "Safe and Sound: a safety-critical approach to security (Position Paper)" by Sacha Brostoff and M. Angela Sasse. Sacha presented. Their emphasis is on socio-technical design of security. They note that safety-critical systems design has similar goals and issues as security design. On similarity is that failures in both types of systems may result in an attribution of failure that does more to identify who to blame than it does to fix the problem. On difference they point out is that violation of security rules is encouraged in certain contexts to identify security flaws. They suggest Reason's Generic Error Modeling System (GEMS) as a starting point. It identifies three error types: slips (attentional failures), lapses (memory failures), and mistakes (intended action that leads to unintended result). With violations, these form the class of unsafe acts. An organization is described by decision-makers, line managers, preconditions, productive activities, and defenses. The model's distinction between active and latent failures offers a way to identify and address security issues that involve human behavior.
Session 3 was a discussion session, chaired by Bob Blakley, based on Victor Raskin's "Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool". Victor argues that the security community needs an ontology. He has seen researchers argue about the definition of terms such as anonymity, unlinkability, unobservability, and pseudonymy. An ontology is a highly structured system of concepts covering the processes, objects, and attributes of a domain in all of their pertinent complex relationships. Ontology organizes and systematizes all phenomena in a research purview. Most approaches gain from the induced modularity. I can predict additions from the full combinatorics of the compatible properties. Discussion questions included ontology's relationship to glossaries, how practitioners would use and profit from it, and whether or not an ontology makes it easier to miss security flaws that have gone unnamed.
The first session on Wednesday, September 12, was Session 4: Innovative Solutions, chaired by Carla Marceau.
Carla also stepped in and presented "AngeL: A Tool to Disarm Computer Systems" for Danilo Bruschi and Emilia Rosti. This tool attempts to stop distributed denial of service attacks from the hosts that are used without their owner's knowledge to launch the attacks, as opposed to more traditional approaches that try to defend from the target on back. The tool works for DOS attacks targeted to the local host as well. It can currently detect and block more than 70 documented attacks. They had presented their initial concept of connecting disarmed hosts at NSPW 2000. One of the things AngeL does is wrap the execve(). It checks the contents of environment variables for suspicious characters, it checks that stats and privileges on the calling program, and it checks the parameters. There is also a module that can be integrated into the personal firewall capability of Linux which looks for attacks that exploit network and transport layer and application layer protocol vulnerabilities. A protection mechanism to keep the tool from being removed was also implemented. AngeL is a loadable kernel module. An MD5 encrypted password is associated with it during loading. The password must be written to the write only /dev/angel device to allow removal. Some performance evaluation was also included in the paper.
The next paper was "Survival by Defense-Enabling" by Partha Pal, Franklin Webber and Richard Schantz. Partha presented. Their work attempts to give applications attack survival and intrusion tolerance, even when their environment is untrustworthy. They emphasize survival by defense, which aims to frustrate an attacker if protection fails and the attacker gains some privilege. This work assumes the ability to modify or extend the design of critical applications. The paper focuses on corruption that results from a malicious attack exploiting flaws in an application's environment. They discuss slowing down the attacker's acquisition of privilege, by distributing the application's parts across domains and constraining privilege accumulation concurrently across a set of domains. Requiring application privilege separate from domain administrator privilege can slow down attackers. Use of redundancy, monitoring, and adaptation can also be used. The paper also considers both direct attacks on the application itself and indirect attacks which target the resources applications need. Pro-active defensive adaptation can further slow the attacker. While their emphasis is on sequential attacks, they are looking at rapid reaction to anomalies for non-sequential attacks (such as DDOS).
The next paper was "A Trusted Process to Digitally Sign a Document" by
Boris Balacheff, Liqun Chen, David Plaquin and Graeme Proudler. Graeme
presented. This approach relies on the Trusted Computing Platform Alliance
Session 5, Less is More, was chaired by Sami Saydjari.
The first paper was "NATE - Network analysis of Anomalous Traffic Events, a
Low-Cost Approach" by Carol Taylor and Jim Alves-Foss. Carol presented.
Their work is specifically designed for high speed traffic and low
maintenance. It features minimal traffic measurements, an anomaly-based
detection method, and a limited attack scope. The expectation is that the
anomaly based approach combined with simplified design will be more
efficient in both operation and maintenance than other lightweight
approaches. NATE only measures packet headers. They monitor counts of the
TCP flags and the number of bytes transferred for each packet. They also
aggregate sessions based on source and destination IP and port. They use
cluster analysis, a multivariate technique, to find normal groups of TCP/IP
sessions, and they used Principal Components Analysis for data reduction.
They evaluated their method against the Lincoln Labs data set. They found
it was successful in identifying the attacks that could be identified from
analyzing network headers, and it had a low false positive rate.
The next paper was "Information Security is Information Risk Management" by
Bob Blakley, Ellen McDermott, and Dan Geer. Bob presented. The paper argues
the information security technology deals with only a small fraction of the
problem of information risk. The evidence increasingly suggests that it
does not reduce information risk very effectively. Generally speaking,
businesses manage risk as part of their day-to-day operations. They may
transfer liability for an adverse event to another party. A business may
indemnify itself against the consequences, either by pooling with other
businesses (insurance policies) or hedging by placing a bet that the
adverse event will happen (options). Risk can be mitigated by systems or
process redesign, or reducing the damage that is likely to occur (building
codes). Businesses can retain risks, and either set aside funds to offset
the cost, or not. A table of information security products and processes
shows them to be heavily clustered in the mitigation category. The FBI/CSI
survey shows nearly universal deployment of security technology and rapidly
and steadily rising losses from security incidents. Information security
risk assessments should focus on quantifying risks. Security technology
development and selection should be based on quantitative studies of
effectiveness. Information that needs to be collected to do this includes
vulnerabilities, incidents, losses, and countermeasure effectiveness. The
authors ask, if the IT security industry can design countermeasures and
counsel clients on how to defend their systems, why can't _we_ help
underwriters develop assessment and underwriting tools and train claims
professionals in the intricacies of IT losses? Do we have something more
important to do?
Session 6 was a panel celebrating the 10th NSPW, called "The New Security
Paradigm Workshop: Boom or Bust?" Steven J. Greenwald was Panel Chair. The
panel statements were "Neither Boom Nor Bust" by Hilary H. Hosmer,
"Tracking Influence Through Citation Index Comparisons and Preliminary Case
Studies" by Mary Ellen Zurko, and "Thinking in an Age of Instant
Communication; Communicating in a Time of Reflective Thought" by Marv
Schaefer. Steve asked the question, has NSPW been effective for advancing
new ideas, challenging old ones, and encouraging new authors? Paradigm
shifts predicted by the first NSPW authors included a shift to application
level security, decentralized interoperable networks, systemic flaw
reporting and correction, and enterprise modeling of sociotechnological
aspects of computers. Holly pointed out that the Boom and Bust model is not
applicable. Her paper points out that the boom and bust model is a dynamic
model with delayed feedback, resulting in the failure of the system to
adjust rapidly enough to reach sustainable equilibrium. Most new paradigms
take at least a generation to win general acceptance, when the holders of
the old paradigm die off. Mez presented some citation index numbers from
CiteSeer
The final session, on Thursday, September 13, was Session 7: Passwords
Revisited, chaired by Tom Daniels.
The first paper was "A Note on Proactive Password Checking" by Jeff Jianxin
Yan. Jeff argues that hackers may attempt to brute force passwords based on
entropy. He proposes using entropy-based proactive password checking as an
enhancement to current use of dictionary-based checking. Proactive password
checking checks a user's (new) password in order to determine its strength.
He gives 12a34b5 as an example of a low entropy password not currently
caught by proactive password checkers. Using a 7 character password as an
example (because the length is widely used), he notes that the highest
entropy pattern is 5 alphabetical and 2 numeric characters, while 2
alphabetic characters and 5 numeric characters is in an area of low
entropy. The paper outlines a simple and efficient algorithm to detect low
entropy 7 character passwords. Future work includes extending the analysis
to longer passwords. Much of the discussion centered around the potential
pitfalls of attempting to deploy proactive low entropy password checking.
The final paper was "Pretty Good Persuasion: A First Step Towards Effective
Password Security" by Dirk Weirich and Martina Angela Sasse. Dirk
presented. This work starts from the assumption that in most organizations,
users cannot be forced to comply with security policies. They must be
persuaded to do so. The persuasion may rely on changes to the policies and
the way they are enforced, or on changing the social discourse around the
subject. This work focuses on rules around and use of passwords. They
conducted semi-structured in-depth interviews to try to understand why some
users are motivated to behave in a security-conscious fashion, and some are
not. The interviews were guided by the theory of fear appeals, which says
that to be effective, they must convince the recipient that the problem is
serious, it may affect them, it can be avoided by taking appropriate
action, and the recipient is capable of performing that action. Discourse
analysis brought out a number of points. A large number of participants had
mental constructs that make it almost impossible to use fear appeals
effectively. There was a strong social element in sharing passwords; it is
seen as a sign of trust among co-workers. People who behave in a
security-conscious way are often described in negative terms such as
"paranoid", even by themselves. Initial ideas on how to solve these
problems include changing the discourse about password mechanisms using
social marketing techniques, changing policy so that it will increase
compliance, and designing mechanisms with their persuasive power in mind. A
very extreme change that might be used for further study would be to
implement a password mechanism that did not allow a user who forgot their
password to change it for 24 hours, and which was unique and used without a
name, to strengthen personal association.