Reflections on “Trust Evidence”

Jonathan M. Smithjms@cis.upenn.edu

Computer and Information Science

University of Pennsylvania

ONR MURI N00014-07-1-0907

Review Meeting

June 10, 2010

Cyberwarfare, botnets and trust

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE 10 JUN 2010 2. REPORT TYPE

3. DATES COVERED 00-00-2010 to 00-00-2010

4. TITLE AND SUBTITLE Cyberwarfare, botnets and trust

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) University of Pennsylvania,Computer and Information Science,3451Walnut St,Philadelphia,PA,19104

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited

13. SUPPLEMENTARY NOTES MURI Review, June 2010. U.S. Government or Federal Rights License

14. ABSTRACT

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as

Report (SAR)

18. NUMBEROF PAGES

20

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

11/4/09 ONR MURI Review 2

What is cyberwarfare?

• Attacks against adversary using computers as

weapons

– And, defense against such attacks

• Goal is attack/defense of nation(s)

– Issues are scale, capabilities, willingness

11/4/09 ONR MURI Review 3

Kinetic versus Cyber

Attribute Kinetic Cyber

EffectsVariable (largely known,

e.g., guns, bombs)

Variable (largely

unknown)

Coverage Limited by materiel Global

Speed Limited by transport Possibly instantaneous

Cost (as %GDP) Significant Insignificant

Industrial base important? Yes No

Attributable Yes, at scale Not clear, at any scale

11/4/09 ONR MURI Review 4

Example: Estonia

• http://www.nytimes.com/2007/05/29/technology/2

9estonia.html

• Affected government, banks, newspapers

• Example of “Denial of Service” attack

• If you depend on the net

– Availability: your packets get through

– “Best effort” (IP service) not enough

– 1M machines send one 1KB packet/second

• 8 Gbits/second – overwhelms most links

11/4/09 ONR MURI Review 5

11/4/09 ONR MURI Review 6

Attribution (who did it?)

• Kinetic weapons: easy

• Internet: source addresses not needed for

routing, anonymity tools

11/4/09 ONR MURI Review 7

Botnets

• Can botnets be eliminated at the host?

– Same question as “can hosts be made secure”

• Can they be detected and defended against?

– DDoS major threat

• We demonstrate detection of the command and

control is hard

11/4/09 ONR MURI Review 8

Humanets

• Routing via smartphone wireless LAN ports

• Could do epidemic routing

– Overloads network

• Smarter use of smartphones

– Look for “promiscuous” host …

– That is also likely to move towards destination

• Does it work?

11/4/09 ONR MURI Review 9

Capture data from G-1

:nandaah

.!....-

0 ottsville

0 Jamaqua

Lancaster

llersvllle

~Pep.n . ~ ee

Bridgeton u

0 ;.ttllville

Dover....._ ....... ___ _

0 Hammonton

Egg Ma s

0 Harbo r Ctty

y- 1( Landtng 1

b

11/4/09 ONR MURI Review 10

Location data from S.F. Cabs

~Pep.n . ~ ee

Hunters Paint

F.rs

11/4/09 ONR MURI Review 11

Are locations predictable?

CD E 0 I c .r.

~ -c CD (.) ..... CD

11..

1

0.8

0.6

0.4

0.2

0

~Pep.n ~ ee

~I :: t 0 l I I I I I

'\ t • r 1 • ''• ! t' l J : ~ : t t~ :. ·~1 J • ~ : ~ ,., 1\ l =~ h: = ~ . ; : ~ 1

• ~ ),

: 1 ~ I t If: :: :'ft I I " ~ : ~ ~ I I I I t 10 ' 1 ~ : ~ .·:1011 t ~ 1110 01 : \ i 1: :, ::,

;, ~~ ~~ 11

1 I ~ t l 1 1 II 11 ~1 I

11~1 ~It I l

I I ft 1 l1 lllltl I t ' to I I .II It I I I ~ I I I tl . ..... I I t•l•t ~ I I • 't II t l I I tl I t I fll I I I ~ ' :~ I II I I I 1 ~ 1 I I • ffl I • I I ' l A I I t il

~~ ~ ,:: ;:~: :: ~ ::-::::-.::II ~ I: ! ~ .r. : ~: ~ .: .:: .. :: 1 : :·· : ·~· "'1 • I -; t 116 II 1 tf 11 U f 1 II If I I I I f t ~I tl 1 o ., It I ~ I 11 I I t

1! I 1

1 : i

I ~~ I I: ~ : : t ! , : l,l : ~ I I; :: : it ~ • = : I :· ~ ~ ,: II 1: :, : : : !1J1 I' :t 1 1 I II 'J 11 1 I " , , ~ I: i ~ • ::~~ :: : I

1 I :. It 1f J j _ 1 1 .. • I I 1 : l 1 ~ I 1 I I I J 11 I f' I: 11 'it I I : r. 1

~I n:: l ~r "~:~.~: : :• ~ t I ~ Itt lt l : : :

I I : : ' I;; ' I I • ~: : · .. . : •· I 1 1 ~~ ~ ~ ~~~ • • 1 f t ~ 111 .. ~ : .. : I I .. '• '• ,.... ~ ~ . ... :~ .. \ ! ;: ~: ru l~ . ! : !jj ! ;.

\f:! I II ~ • 'i

r ~~

Sep/04 Nov/04

Regular+lrregular Time

Jan/05 Mar/05

11/4/09 ONR MURI Review 12

It works pretty well on the data…

c 0

:;::; (.)

~ u. Q)

> ~

~ ::J E ::J ()

1

0.8

0.6

0.4

0.2

•' ... - .· .. •'

I

,' I" ,.·

I

' / I I

I I I I I I , : I I , ' I

' I I I ,

I I I

I I .

I I I I , I I I I I I I I I I

' . ... . ..· i ....... ··· I

I , ,,,l' I • I •

~' ... ·

.•·•··· .. /

/ :~ ....

.. · .. ·· l.,..:

'!' .. ......... •··

, .......... .

... ·· ' ,.,.-··

.. ···· (:

/

.... ·· ... ········

.............................. ···

HumaNet Routing (85% success) -­Flooding (76.3% success)

Flooding w/prob 5% (60.3% success) ·········· Random Walk w/prob 5% 28.7 success) ··········· · ......

0 ~--~----~----~--~----~----~----L-~-L----~

0 500 1 000 1500 2000 2500 3000 3500 4000 4500

Latency (minutes)

~Pep.n . ~ ee

11/4/09 ONR MURI Review 13

Impact?

• Completely decentralized C&C net

– 85% delivery in 12 hours

• Easy to use for botnet or …

– Wherever short commands are enough

• Hard to detect (you have to be local)

• Hard to block

11/4/09 ONR MURI Review 14

Trust: What is it?

• Trust is the expectation that the right thing will

happen for the right person at the right time and

at the right place

• Various factors can increase or decrease this

expectation

– Unknowns (and unknowables?)

– Adversaries

• 100% and 0% not achievable, but how close?

11/4/09 ONR MURI Review 15

Reasoning about Trust

• Trust is often based on transitive trust

– I trust Alice since I trust Bob and Bob trusts

Alice

• But degree of trust is more subtle

– I trust Alice less than Bob, with whom I vacation

(i.e., my knowledge of Bob is better, and direct)

• Trust is dynamic

– More experience with Alice, Bob cheats me, …

– As examples show, increases and decreases

11/4/09 ONR MURI Review 16

Dependencies and Independence

• Trust is often based on assumptions of trust

– This creates a chain of dependencies

– See Thompson, “Reflections on Trusting Trust”

• Most SW systems assume HW trusted

– “FPGA Viruses”, Hazdic, Udani, Smith, FPL „99

– “Overcoming an Untrusted TCB”, Hicks, Finnicum, King, Martin, Smith, S&P ‟10

• Desiderata: Independent attestation

– Thinking Bayes: Pr(good) = 1-Pr(bad1)*Pr(bad2)*…

11/4/09 ONR MURI Review 17

Blaze, et al., “Trust Management” supports

dependent and independent trust

PRINCIPAL

- U.S. Customs -PRINCIPAL

- A U.S. Citizen -

-POLICY-- CREDENTIAL STORE -

-COMPLIANCE

CHECKER-

-INTERFACE-

local policycryptographically

signed

credentials

naming

DISTRIBUTED authorization and compliance checking

Policies may be dynamically introduced by multiple authorities

11/4/09 ONR MURI Review 18

BIOS 2Level 1

Root of Trust – Arbaugh‟s AEGIS (Oakland „97)

BIOS 2BIOS 2Expansion

ROMs

Level 2

BootBlock

Level 3

SoftwareEnvironment Level 4

BIOS 1NetcardLevel 0

TrustedRepository

Network

11/4/09 ONR MURI Review 19

Evidence of Trust

• Multiple independent sources for attestation

– E.g., voting TPMs with secured access (crypto)

• Minimal dependent sources

– Rely as much as possible on differential integrity

– Secure Boot on TPM

• Robust integrity checks

– Chaining Layered Integrity Checks

• Dynamics – situational awareness

• Recovery strategies using independence

11/4/09 ONR MURI Review 20

Local Policy Context

Information

Decision

Meta-Policy

Reputation

Database

Request

&

Credentials

ActionPolicy

Evaluation

Engine

Decision

Maker

Reputation

Algorithm

Reputatio

n

Quantifier

TDG

ExtractorTDG

TV

Compliance Value

FeedbackPolicy-Based

Trust Manager

Reputation-Based

Trust Manager Decison Manager

Quantitative Trust Management (Eurosec ‟09)