No Silver Bullet : Inherent Limitations of Computer Security Technologies. Jeffrey W. ... networks makes the job of securing computing systems increasingly ...
No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Daniel J. Ragsdale Curtis A. Carver, Jr. John Mitchell Duval Hill Udo W. Pooch Department of Computer Science, Texas A&M University College Station, TX 77843-3112, USA
ABSTRACT Awareness of the need for secure systems has grown rapidly as computers have become increasingly pervasive in our society. Numerous computer security technologies have been proposed and implemented, but all of them fall short of providing the level of security most organizations and endusers expect. No current technology, whether used in isolation or used together with other measures, fully addresses the problems associated with insecure computing platforms. Further, it is not likely that any technologies in the near future will be developed that, by themselves, will fix these problems. By examining the inherent problems in securing computers, this paper shows why it is unlikely that any silver bullet will be found that will fully address the problem in the foreseeable future. This paper also discusses some current technologies and shows why they do not adequately address these issues. It concludes with an assessment of evolutionary change and proposes approaches that may produce incremental improvements. Keywords: Information Systems Management, Communication Systems and Networks, Computer Security, Security Policy, Security Technologies
1. INTRODUCTION Reports of computer break-ins, hacker incidents, and viruses are now common in the public press. As the number of reports increases, awareness of the need for secure systems has grown rapidly. Increased personal computer use, exponential growth in networking, and the advent of the World Wide Web has especially increased public concern for security [1, 2]. The current direction of computer science has moved away from the more easily secured mainframe paradigm towards more distributed, web-based, agent-based paradigms. A number of computer security technologies have been developed to address the security implications introduced by this shift, but all of them fall short of providing the level of security most organizations and end-users expect. No present technology, whether used by itself or used in conjunction with other mechanisms, fully addresses the computer security problem. Moreover, because of the fundamental problems in computer
security, it is unlikely that any future developments will provide an immediate solution. Rather, while no single solution is probable, it is more likely that using approaches that attempt to address these inherent problems will provide better solutions. This paper only considers enabling security technologies and practices -- discussions on legal and social proposals are not addressed. The Nature of the Problem "The security of a system is a measure of its ability to implement a security policy" [3]. It is often described in terms of its three principal elements: confidentiality, integrity, and availability. While computer security covers a broad range of threats, such as natural disasters and accidents, the focus here is on the intentional threat -- the intelligent, determined, and intentional attacks that can be made against computing platforms. Thus, by definition, the use of computer security here deals with defense from deliberate attacks [4]. The fast-paced change in computer technology, and the complexity it naturally brings, has increased the number of system vulnerabilities and has not improved overall security as some had predicted. Today's attackers have an increasingly large number of points to attack: satellite communications, video conferencing, fax machines, digital communications systems, mobile communications, mobile computing, personal computers, and dozens of other new technologies are commonplace. Moreover, new technologies, with their own set of exploitable vulnerabilities, are being continually created [5]. Likewise, the growth in the size and diversity of computer networks makes the job of securing computing systems increasingly difficult. Since computing platforms have become omnipresent, the task of system administration has become more decentralized. It is virtually impossible for system administrators to keep abreast of every new hardware or software technology, much less the new vulnerabilities each one introduces. Because of the many other concerns that system administrators have to address each day, security is often neglected due to lack of time or skill. Often, end users are left to install software on their own systems leaving wellknown security holes that provide easy access to an attack [6]. Schneier [7] describes those who try to defend their computer systems as occupying what is called "the position of the interior", a phrase coined by Prussian general Carl von Clausewitz. For a system to be truly secure, it must defend
against every conceivable attack, even those that are not currently known. The attacker, however, need only find one crack in security in order to defeat the system. Further, today's attackers can use whatever unscrupulous methods that are at their disposal to attack the system in ways those attempting to protect the system may never have considered. "The odds favor the attacker: defenders have to protect against every possible vulnerability, but an attacker only has to find one security flaw to compromise the whole system" [8].
2. INHERENT PROBLEMS IN COMPUTER SECURITY Providing adequate computer security is very difficult. By examining the inherent problems in securing computers, it can be shown why it is unlikely that a quick fix will be found in the foreseeable future to fully address these problems. The following sections also discuss the properties of technologies that have been proposed and show why they are inadequate. In particular, three inherent difficulties in the nature of computer security are examined: the complexity of the computing environment, the rate of change in computer technology, and the people factor. Complexity of the Computing Environment One of the inherent problems in computer security is the complexity of the computing environment. Computer technology, both hardware and software, grows more complex each day. Not only are the individual components complex, but the exponential growth in their interconnection makes the entire infrastructure complex. All components of a computing system are potentially vulnerable, including the communications links, the actual computer hardware and related equipment, and the associated software [9]. The increase in size and complexity far exceeds the comprehension of any given security mechanism to monitor, even for relatively small networks. As a result, as this "information grid" expands and becomes more accessible, the security vulnerabilities increase as well. This occurs for several reasons [5]. First, an increase in size means that more valid users have access to the system, thus increasing the threat from insiders. Second, as the number of hosts and connection points increases, outside attackers have more opportunities to penetrate a system. Finally, if an attacker, either from the inside or from the outside does manage to penetrate a system, more information is now available than ever before to be compromised. Even a solitary penetration has the potential to be extremely damaging, especially in a highly connected computing environment [5]. Likewise, since the computing environment has become so complex and interconnected, an attacker need only focus on a small subset of the infrastructure in order to cause major disruptions. Furthermore, since new technologies become available to potential attackers at the same time as they do to others, adversaries have time to understand these technologies and look for exploits [5]. For example, industry is increasingly reliant on commercial off-the-shelf (COTS) software and hardware. These products increase the organization's vulnerabilities by making their systems familiar to potential
attackers who know the weaknesses of these products. Rate of Change in Computer Technology Another inherent problem in computer security is the rate of change in computer technology. "The explosion of information technologies has set in motion a virtual tidal wave of change that is in the process of profoundly affecting organizations and individuals in multiple dimensions" [5]. The pace of these advances in information technologies and their use means that security mechanisms must be able to keep up or they will become quickly outdated [5]. This rapid change in technology hampers computer security efforts for several reasons. First, computer product developers, in their rush to get new products to the market, fail to thoroughly research and understand the security implications their products might have on those who use them. Many times, the security weaknesses in these products are not found until after the product has been installed and is in use in an organization that is unaware it is vulnerable. It is inevitable that security engineering will continue to lag behind product development [10]. Likewise, technological advances and the pervasive drive toward efficiency lead many organizations to purchase, install, and integrate these new products into their computing infrastructure with little thought of their effect on security [9]. Many organizations are unaware that what appears to be a benign change to enhance their performance or efficiency can have a profound impact on the organization's vulnerability to attack by potential adversaries who know what to look for. For example, the installation of a newer version of a popular software package can introduce enormous vulnerabilities to an organization's infrastructure. The usual response to such events is for the organization to install security patches after an attack has occurred. This method does not provide an adequate level of security to most organizations. The description of a new security flaw can be described on the Internet and exploited by thousands much faster than developers can create and disseminate patches. Computer systems must be able to anticipate future attacks because any technology designed today is likely to remain in use for several years [8]. The People Factor A third problem that is inherent to computer security involves people. Human beings are responsible for the design, configuration, and use of systems with security features. People often make mistakes in judgment and implementation, and many take shortcuts. Further, it is not possible for people to anticipate all possible failures [10]. In the realm of computer security, people can be categorized as either insiders or outsiders. The insider works for an organization and usually has some form of trusted, authorized access to the computing resources therein. An outsider is an attacker who has no prior access to the target computing platform. Both categories pose special problems in computer security. The largest threat, both in the number of incidents and in the monetary damage caused by attacks comes from insiders [4, 10]. Insiders are a threat when, for personal gain or for sabotage, they exploit information resources within their organization [4]. "A system that is secure when the operators
are trusted and the computers are completely under the control of the company using the system may not be secure when the operators are temps hired at just over the minimum wage and the computers are untrusted" [7]. Insiders can also introduce threats by accident. For example, even systems that are secure when used properly can become vulnerable when users subvert the security features by accident, especially if the system was not designed well [7]. Even more importantly, many system administrators themselves are simply not trained or possess adequate knowledge about information security to ensure that their systems are safe. Because security personnel and system administrators can change jobs frequently, inconsistencies in an organization's security policies develop. It is also difficult for personnel to keep up with new procedures and safeguards that are constantly being developed and introduced by an organization with the intent of improving security. These new procedures often have the unintentional effect of introducing new weaknesses. The threat from outsiders can also be very costly. These socalled hackers are becoming increasingly proficient at using easily obtainable, low cost technologies that provide tools for penetrating computer systems anywhere in the world [5]. Advances in technologies, such as the World Wide Web have resulted in an enormous amount of potentially dangerous information being available to individuals anywhere [5]. The Internet is the enabling tool that is almost singularly responsible for the spread of knowledge about vulnerabilities and the distribution of hacking tools worldwide [10]. Further, as these tools become more powerful and user friendly, the attacker's task becomes even easier. Sophisticated attacks that can devastate a targeted computer system can be launched by people with very modest technical expertise [10]. To make matters worse, there is considerable evidence that the once informal community of hackers is becoming more and more organized, as individuals are increasingly sharing their latest skills and tools with others on the Web [9]. Because the Internet is world-wide, attackers can mount an attack from anywhere in the world, hopping through multiple locations inbetween, which makes tracking them extremely difficult. Computer specialists and system administrators are in a constant tug-of-war with the hacker community -- each one tries to foil the other. It is doubtful that this struggle will ever be effectively ended. Consequently, it is important for system administrators and users to maintain a vigilant watch of their systems and to continue to develop and implement improved security measures [9]. "History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet" [8].
3. CURRENT TECHNOLOGIES FALL SHORT Providing good security is very difficult. The increasing sensitivity to the need for security has resulted in a corresponding increase in efforts to add security to current computing systems [1]. Good solutions are complex enough to require more than one type of remedy and involve actions
among various organizations that need to be closely coordinated in order to be effective. No existing technology provides the type of orchestration of appropriate remedies necessary to provide a coherent solution to the inherent problems in computer security [5]. The current disciplines that have professed finding some solutions to these problems are insufficient and poorly understood [8]. Authentication and Access Controls It is well known by most system administrators that standard methods of user authentication and access controls, such as the use of passwords, are woefully inadequate to provide any real security. It is far too easy for an attacker to subvert current authentication mechanisms. Several technologies, such as handheld authenticators, biometrics, and smart cards, have been proposed which purport to solve the current authentication problem and make computers more secure. While these technologies may make small improvements in security in some systems, they fall short of their promise to provide complete system security to the end user. It is important for those responsible for an organization's security to realize that, while these technologies may have some value, they also have their limitations and are all potentially vulnerable to bypass or subversion [10]. Network Technologies The trend in a number of organizations has been to make their systems more open. Many believe their information systems should be accessible both to their own employees to work from remote sites and to the customers themselves who use the systems [9]. As this trend will likely continue, the number and significance of network vulnerabilities will continue to grow. Networked systems will always have vulnerabilities [10], but many technologies have been developed and marketed as the 'final solution' to network protection; none of them, however, can live up to these claims. The most common mechanism that has made exaggerated claims of network protection is the firewall. Most firewalls are vulnerable because they are subject to subversion and provide little protection against malicious code that enters the firewall in seemingly legitimate messages. They are also vulnerable to ill-defined and incomplete security policies [10]. Further, firewalls provide absolutely no protection against attacks by malicious insiders [1]. At best, firewalls provide protection from the 'casual attacker' who simply is trying to rattle doorknobs. In the worst case, firewalls give an organization a false sense of protection. Intrusion Detection Systems Intrusion detection systems detect attacks that attempt to compromise the integrity, confidentiality, or availability of a resource [11]. A good intrusion detection system tries to detect abuse and to contain the effects of any attack in the early stages, preferably in real time. System designers must assume that sooner or later, the system will be successfully attacked, most likely in a completely new and unexpected way. Therefore, the ability to detect such an attack is important, as well as the ability to contain the attack to ensure it does minimal damage [12]. Intrusion detection systems, however, have a number of weaknesses. First, as systems grow and become more fully
connected, the simple task of even noticing a penetration or penetration attempt becomes extremely difficult. Many times, intrusion detection systems cannot distinguish between events that can be considered normal and those events that are intrusive [5]. These systems are vulnerable to falsely characterizing normal behaviors as attacks, to missing attacks altogether, to being disabled, and to incomplete or false knowledge about what should be considered an attack [10]. The sheer volume of information itself needed to monitor a network frustrates an intrusion detection system's ability to quickly identify problems. Second, like many other security mechanisms, intrusion detection systems have a very difficult time stopping the insider threat. Finally, very few intrusion detection systems are able to formulate an appropriate real-time response to perceived attacks, thus reducing many of them to mere burglar alarms. Cryptography Another technology that many are hoping will solve the computer security dilemma is cryptography. Schneier summed it up when he made the statement that "strong cryptography is very powerful when it is done right, but it is not a panacea" [12]. Indeed, when system administrators and security personnel focus solely on the power of cryptographic mechanisms while ignoring other aspects of security, they just set themselves up for failure. "Building a secure cryptographic system is easy to do badly, and very difficult to do well" [7] because cryptographic system design is an art as well as a science. Those who design and implement these systems must strike a balance between security and convenience, anonymity and accountability, privacy and availability [13]. Smart attackers will just go around the cryptography and target weaker points in the system [12]. The first problem with cryptography is that it lulls the user into a false sense of security. The cryptography now on the market doesn't usually provide the level of security it advertises. Most systems today are designed by engineers who think cryptography is like any other computer technology. They often believe that systems can be made secure by attaching cryptography as an afterthought [8]. Unfortunately, these products often get the cryptography wrong, because they frequently rely on proprietary encryption algorithms. Many of these proprietary algorithms are very weak because it is very easy to introduce defects in even simple cryptographic protocols if the designers are unfamiliar with the technology [7, 14]. Another problem with cryptographic technology is that it is potentially vulnerable to weaknesses in the algorithms and protocols used, as well as the key generation and key management techniques employed [10]. Some people believe that longer keys will solve the problem, but using longer keys doesn't necessarily translate into better security [7, 12]. In practice, most attackers rarely break cryptography through mathematics; other parts of the system are much easier to break [13]. Attackers can almost always find ways that bypass these algorithms by exploiting errors in design, implementation, and installation [7]. The people who break into systems don't follow the rules. They often attack a system using methods the designers never considered [8]. For example, key recovery databases can become sources of vulnerability if not designed and implemented correctly. Random-number generators are
another place where attackers can often break cryptographic systems [7]. Further, attackers don't even have to target the cryptographic technologies at all -- social engineering attacks often produce better results than months of persistent cryptanalysis [12]. In addition, cryptography may be irrelevant if an attacker can circumvent it through some network insecurity [7]. Even if cryptography was ubiquitous and implemented correctly every time, 85% of the CERT advisories over the last 10 years describe vulnerabilities that would still exist because they are beyond the scope of cryptography to fix [14]. Security problems such as traffic analysis and denial of service can continue to plague systems even if the underlying cryptography is sound. Other Technologies Many other technologies have been proposed to solve the computer security problem. Mechanisms such as vulnerability scanners, virus scanners, secure software, and even security policies and standards have all been advocated as solutions. While each of these tools may improve security peripherally, none of them, whether used in isolation or together with other tools, address the inherent problems in computer security. Such tools also do little to protect systems from the insider threat or well-informed hackers who know about new vulnerabilities before the security tools are updated. As technology continues to progress, hackers will find ways to inject malicious code into target systems through a broadening variety of delivery mechanisms, including commercial software, network protocols, electronic mail, and web browsers [10].
4. A BETTER WAY? Good security is very difficult to achieve and total security is impossible. No single technical security solution can provide an answer because they fail to address the inherent problems in computer security. Rather, a proper balance of security mechanisms must be achieved that addresses the fundamental problems of increasing complexity, rapid rate of change, and the people factor [1, 10]. This paper advocates three approaches that begin to address the inherent difficulties in computer security. Designing Security into Systems from Start In a world of limited resources, system developers must distribute them among the competing demands of functionality, performance, and customer usability [10]. Often, one of the first components to go, if it was ever included in the first place, is security. One reason is that most users usually don't care much about security. Their primary concern is simplicity, convenience, and compatibility with their existing, albeit insecure, systems [13]. For example, it has been documented that some electronic commerce systems have made implementation trade-offs in security to enhance usability [7]. Moreover, when security is included with a system, it is usually added on at the end, almost as an afterthought. Such practices do not produce secure software, and many times have the opposite effect of introducing vulnerabilities. The better approach is to design security into systems from the very start. Schneier and Shostack propose a defensive model of design
that is focused on designing systems to be secure from the architecture down. Because it has been shown that adding security to a system after the design phase is difficult, expensive, and prone to failure, they offer a model that encourages motivating security considerations in the beginning phases of system design. This approach eliminates many of the costly and complex attempts to add security at the end of design [15]. All trusted systems must base their engineering on sound security models that were considered from the start [10]. This approach will successfully produce secure systems only if they require those responsible for the design, development, and implementation of these systems to recognize potential unintended consequences and vulnerabilities introduced by their decisions in the process [5]. After all, just because a system works does not mean it works correctly or securely; unfortunately, testing never identifies all security flaws before a product is shipped [7]. Secure Operating Systems Many current security efforts operate under the mistaken assumption that adequate security can be achieved by building applications that run on top of today's operating systems [1]. Even applications that were designed very securely often fail because of the lack of underlying security support from the operating system. An operating system with well designed security mechanisms is an important and necessary component to the lofty goal of total system security [1]. Security provided by the operating system is essential to providing overall system security. Because the operating system is the interface between the hardware and any software applications that execute, failure to build basic security mechanisms into the operating system can result in systemwide vulnerabilities. For example, the OS is responsible for protecting application-space mechanisms from tampering by other processes [1]. If even this basic need is not provided, an informed attacker and a renegade process can hijack the system with a few careful operations. Because rising system complexity and interconnectivity have increased system-wide vulnerabilities, the need for secure operating systems is more essential in today's computing environment than ever before [1]. Today's mainstream operating systems are subject to easy subversion. Once the operating system has been penetrated, nothing is left to protect a system's hardware except hardware itself. Attempts to address this problem outside of redesigning the actual operating system have failed. For example, Java is a language that was developed with some security mechanisms built in. All security concerns in Java are addressed at the application layer above the operating system. The basic Java Security Model is based on the notion of the sandbox. The system relies on features of the language working in conjunction with the Java Security Manager to prevent unauthorized actions [1]. A number of other, independentlydeveloped security solutions for the World Wide Web have been proposed, each one with its own security model. All of these systems, including Java, have been shown to be vulnerable to numerous attacks, including those from mobile code, because these systems rely on 'high-level' security solutions which are vulnerable because of a lack of operating system support for security [1]. The fundamental limitation of these high-level approaches is that none of them can guarantee
that the system cannot be tampered with or bypassed [1]. Truly secure operating systems, with mandatory security mechanisms built in, provide security-related functionality and support to an application by ensuring that these systems cannot be tampered with or bypassed [1]. These built-in mandatory security mechanisms can also strictly confine an application to a single security domain that is rigidly separate from other process domains in the system [1]. Security Awareness and Training Another approach that has a good chance of improving overall system security, quite apart from any particular technology, is that of security awareness and training for the user. This can be done effectively by most organizations as part of a broad, ongoing training and awareness program that keeps members' attention focused on security related issues [9]. This effort cannot be a simple one-time effort; it must be a comprehensive training and awareness program that is done continually, with emphasis always on maintaining a secure environment [9]. It has been shown in many organizations that a large number of existing vulnerabilities in any information system can be eliminated through the consistent application of reasonable, low-cost computer security awareness training combined with procedures to implement the organization's policies [9]. For example, many users consider hand-held authenticators to be inconvenient. However, in high-threat environments where remote access is required, they offer a substantial increase in security [16]. By making users aware of the threats and the need for better security, many of them begin to use proposed security mechanisms that enhance the security of the overall organization.
5. CONCLUSION Public awareness of the need for secure systems has grown tremendously over the last several years. The increase in personal computer use, the exponential growth in interconnectivity, and the advent of the World Wide Web has especially increased public concern for security [1, 2]. A number of well-intentioned computer security technologies have been developed, but none of them provide adequate, system-level security. Moreover, based on the current direction of information technology, it appears unlikely that a silver bullet is on the horizon in the area of computer security. While no system can guarantee 100% security, approaches that attempt to address the inherent problems in computer security will likely provide better solutions and make our systems more secure in the future.
6. REFERENCES [1]
P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. A. Taylor, S. J. Turner, and J. F. Farrell, “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments,” in Proc. 21st National Information Systems Security Conference, Crystal City, VA, 1998.
[2]
C. P. Pfleeger, Security in Computing, Second Ed., Upper Saddle River, NJ: Prentice Hall, 1997.
[3]
B. C. Neumann, “Protection and Security Issues for Future Systems,” in Proc. Workshop on Operating Systems of the 90s and Beyond, Dagstuhl Castle, Germany, 1991.
[4]
D. E. Denning, Information Warfare and Security, Reading, MA: Addison Wesley, 1999.
[5]
D. S. Alberts, “The Unintended Consequences of Information Age Technolgies,” Available at http://www.ndu.edu/ndu/inss/books/uc/uchome.html, April 1996.
[6]
B. Cheswick, “The Design of a Secure Internet Gateway,” in Proc. Summer USENIX Conference, Anaheim, CA, June 1990.
[7]
B. Schneier, “Security Pitfalls in Cryptography,” Available at http://www.counterpane.com/pitfalls.html, April 1999.
[8]
B. Schneier, “Cryptography, Security and the Future,” Communications of the ACM, vol. 40, no. 1, January 1997, pp. 138.
[9]
Dept. of Transportation, “Emerging Issues in Transportation Information Infrastructure Security,” in Proc. Challenges and Opportunities for Global Transportation in the 21st Century, Volpe Center, Cambridge, Massachusetts, 1996.
[10] D. E. Denning, “Protection and Defense of Intrusion,” in Proc. National Security in the Information Age, Colorado Springs, CO, 1996. [11] R. Heady, G. Luger, A. Maccabe, and M. Servilla, “The Architecture of a Network Level Intrusion Detection System,” Tech. Rep. CS90-20, University of New Mexico, August 1990. [12] B. Schneier, “Cryptographic Design Vulnerabilities,” Computer, vol. 31, no. 9, 1998, pp. 29-33. [13] B. Schneier, “Why Cryptography is Harder than it Looks,” Information Security Bulletin, vol. 2, no. 2, 1997, pp. 3136. [14] S. M. Bellovin, “Cryptography and the Internet,” in Proc. CRYPTO '98, August 1998, pp. 46-55. [15] B. Schneier and A. Shostack, “Breaking Up is Hard to Do: Modeling Security Threats for Smart Cards,” Available at http://www.counterpane.com/smart-card-threats.html, April 1999. [16] S. M. Bellovin and M. Merritt, “Limitations of the Kerberos Authentication Systems,” in Proc. Winter USENIX Conference, Dallas, TX, January 1991.
