what does ‘security’ mean for ubiquitous applications?
DESCRIPTION
What does ‘Security’ mean for Ubiquitous Applications?. Ross Anderson Cambridge. Outline of Talk. Security can help to control technical complexity, by limiting interaction It can help control complexity of use - security usability will be a big growth area - PowerPoint PPT PresentationTRANSCRIPT
What does ‘Security’ What does ‘Security’ mean for Ubiquitous mean for Ubiquitous
Applications?Applications?
Ross AndersonRoss Anderson
CambridgeCambridge
Outline of TalkOutline of Talk
Security can help to control technical Security can help to control technical complexity, by limiting interactioncomplexity, by limiting interaction
It can help control complexity of use - It can help control complexity of use - security usability will be a big growth areasecurity usability will be a big growth area
It is also about conflict - about tussles for It is also about conflict - about tussles for commercial control, user privacycommercial control, user privacy
First, let’s look at some ubiquitous First, let’s look at some ubiquitous applicationsapplications
Ubicomp (1) - Smart DustUbicomp (1) - Smart Dust
Thousands of motes deployed in a self-Thousands of motes deployed in a self-organizing network for surveillanceorganizing network for surveillance
This is in conflict with the interests of the party This is in conflict with the interests of the party under surveillanceunder surveillance
There may be capable opponents - enemies There may be capable opponents - enemies who deploy ‘black dust’ against your ‘white dust’who deploy ‘black dust’ against your ‘white dust’
Also privacy issues - e.g. if US law prevents Also privacy issues - e.g. if US law prevents monitoring US citizens without a warrantmonitoring US citizens without a warrant
Security partly ‘military’, partly regulatorySecurity partly ‘military’, partly regulatory
Ubicomp (2) - RFIDUbicomp (2) - RFID
Passive tags returning 128-bit unique IDPassive tags returning 128-bit unique ID Story about ‘refilling your fridge’ - but at heart, Story about ‘refilling your fridge’ - but at heart,
RFID is about controlling supply chainsRFID is about controlling supply chains US privacy row - can a third party scan not just US privacy row - can a third party scan not just
what you’re wearing but where you bought it, what you’re wearing but where you bought it, when and for how much?when and for how much?
Triggered widespread resistance - from trade-Triggered widespread resistance - from trade-policy wonks to fundamentalist Christianspolicy wonks to fundamentalist Christians
Serious political objection: RFID enables Serious political objection: RFID enables manufacturers to clamp down on grey market manufacturers to clamp down on grey market trading, in contravention of EU Single Markettrading, in contravention of EU Single Market
Ubicomp (3) - in the CarUbicomp (3) - in the Car
Latest cars have 40-50 CPUs, CANBUS, Latest cars have 40-50 CPUs, CANBUS, BluetoothBluetooth
Closest so far to Ubicomp ideal of computers Closest so far to Ubicomp ideal of computers embedded invisibly everywhere - with a serious embedded invisibly everywhere - with a serious attempt to make them usable, automatic etcattempt to make them usable, automatic etc
Growing problem of feature interaction - multiple Growing problem of feature interaction - multiple administrators / ‘owners’administrators / ‘owners’
Worries about platform vulnerabilityWorries about platform vulnerability From the privacy angle, the combination of GSM, From the privacy angle, the combination of GSM,
GPS, logging, road pricing and DRM is bad stuffGPS, logging, road pricing and DRM is bad stuff Also, issues with aftermarket controlAlso, issues with aftermarket control
Ubicomp (4) - The Digital HomeUbicomp (4) - The Digital Home
Vision (e.g. Toshiba U-home) - appliances talk Vision (e.g. Toshiba U-home) - appliances talk via UWB, 802.11, Bluetooth, IR, RFIDvia UWB, 802.11, Bluetooth, IR, RFID
Home gateway talks broadband to the worldHome gateway talks broadband to the world But trust management gets complex! But trust management gets complex! Issues of policy - multiple domains (do teens Issues of policy - multiple domains (do teens
have privacy from parents and/or vice-versa?)have privacy from parents and/or vice-versa?) Issues of practice - how do you mate the access Issues of practice - how do you mate the access
control /DRM systems of multiple platforms?control /DRM systems of multiple platforms? How can my mother manage all this stuff?How can my mother manage all this stuff?
A Possible FrameworkA Possible Framework
One machine - standard computability, One machine - standard computability, complexity theories; programming toolscomplexity theories; programming tools
One person - applied psychologyOne person - applied psychology One person, one machine: HCIOne person, one machine: HCI One machine, many people: access controlsOne machine, many people: access controls One person, many machines (or: many apps) - One person, many machines (or: many apps) -
feature interaction, conflict, more HCI issuesfeature interaction, conflict, more HCI issues Many people, many machines: more complexity, Many people, many machines: more complexity,
more conflict, affecting more and more sectorsmore conflict, affecting more and more sectors
How can the security How can the security engineer help?engineer help?
First goal: control system complexity from the First goal: control system complexity from the programmer’s viewpoint programmer’s viewpoint
Feature interaction is the fastest-growing source Feature interaction is the fastest-growing source of new problemsof new problems
We can help ensure that one application only We can help ensure that one application only interacts with another via the official interface interacts with another via the official interface (compartmented operating systems, ‘Trusted (compartmented operating systems, ‘Trusted Computing’)Computing’)
We can also help ensure that the application We can also help ensure that the application programming interface can’t be manipulated programming interface can’t be manipulated (API security - see my papers with Mike Bond)(API security - see my papers with Mike Bond)
VSM Attack (2000)VSM Attack (2000) Top-level crypto keys exchanged between banks in several Top-level crypto keys exchanged between banks in several
parts carried by separate couriers, which are recombined parts carried by separate couriers, which are recombined using the exclusive-OR functionusing the exclusive-OR function
SourceHSM
DestHSM
KP1
KP2
Repeat twice…
User->HSM : Generate Key ComponentHSM->Printer : KP1HSM->User : { KP1 }ZCMK
Combine components…
User->HSM : { KP1 }ZCMK ,{ KP2 }ZCMK
HSM->User : { KP1 xor KP2 }ZCMK
Repeat twice…
User->HSM : KP1
HSM->User : { KP1 }ZCMK
Combine components…
User->HSM : { KP1 }ZCMK ,{ KP2 }ZCMK
HSM->User : { KP1 xor KP2 }ZCMK
API attack: XOR To Null KeyAPI attack: XOR To Null Key A single operator could feed in the same part A single operator could feed in the same part
twice, which cancels out to produce an ‘all zeroes’ twice, which cancels out to produce an ‘all zeroes’ test key. PINs could be extracted in the clear using test key. PINs could be extracted in the clear using this keythis key
Other API manipulation attacks were found on Other API manipulation attacks were found on essentially all crypto processors on the market!essentially all crypto processors on the market!
Combine components…
User->HSM : { KP1 }ZCMK , { KP1 }ZCMK
HSM->User : { KP1 xor KP1 }ZCMK
KP1 xor KP1 = 0
New Research Problems?New Research Problems?
Turning TC / API security ideas into working Turning TC / API security ideas into working products will be non-trivialproducts will be non-trivial
Another black hole: maintainabilityAnother black hole: maintainability E.g. at present most security literature is about E.g. at present most security literature is about
bootstrapping into a secure state - once Alice bootstrapping into a secure state - once Alice and Bob share a key, we head for the pub!and Bob share a key, we head for the pub!
Bugs in products are not usually fixed - you are Bugs in products are not usually fixed - you are expected to buy a new mobile phone every year. expected to buy a new mobile phone every year. But this won’t work for air-conditioners!But this won’t work for air-conditioners!
More on MaintainabilityMore on Maintainability
Parallel: early software engineering work was on Parallel: early software engineering work was on producing large programs from scratch; now it’s producing large programs from scratch; now it’s about evolution. Theses are no longer written on about evolution. Theses are no longer written on the ‘waterfall model’ but on ‘extreme the ‘waterfall model’ but on ‘extreme programming’programming’
We have almost no literature on security We have almost no literature on security resilience, and on automatic recovery after resilience, and on automatic recovery after compromisecompromise
Our own tentative ideas: ‘Smart Trust for Smart Our own tentative ideas: ‘Smart Trust for Smart Dust’, Anderson, Chan and Perrig, ICNP 2004Dust’, Anderson, Chan and Perrig, ICNP 2004
But we will need much, much more!But we will need much, much more!
How can we help? (2)How can we help? (2)
Second goal: control system complexity from the Second goal: control system complexity from the user’s viewpointuser’s viewpoint
The current bottleneck is security usabilityThe current bottleneck is security usability It’s taken 30 years to come up with (barely It’s taken 30 years to come up with (barely
adequate) ways of managing the millions of bits adequate) ways of managing the millions of bits of security state in a typical companyof security state in a typical company
The home is more complex still!The home is more complex still! Meanwhile, consumers have difficulty with VCR Meanwhile, consumers have difficulty with VCR
programming and basic PC adminprogramming and basic PC admin
Ubicomp and UsabilityUbicomp and Usability
U-Vision - embedded devices will be easy to U-Vision - embedded devices will be easy to use, thus eliminating the PC’s frustrationsuse, thus eliminating the PC’s frustrations
More sober view (Odlyzko) - trade-off between More sober view (Odlyzko) - trade-off between flexibility and ease of use is different for different flexibility and ease of use is different for different users (and same user at different times/tasks)users (and same user at different times/tasks)
Norman’s ‘human-centered engineering’ Norman’s ‘human-centered engineering’ assumes mature products (a long way off!)assumes mature products (a long way off!)
‘‘We will still be frustrated, but at a higher We will still be frustrated, but at a higher level of functionality, and there will be level of functionality, and there will be more of us willing to be frustrated’more of us willing to be frustrated’
Odlyzko’s warningOdlyzko’s warning
Home environment is likely to be more Home environment is likely to be more complicated than today’s office complicated than today’s office environment, and home users generally environment, and home users generally less knowledgeable less knowledgeable
We may have to outsource the setup and We may have to outsource the setup and maintenance of home appliances to experts maintenance of home appliances to experts - that is, remote administration- that is, remote administration
Users given varying degrees of control, Users given varying degrees of control, ‘depending on skills and trustworthiness’‘depending on skills and trustworthiness’
We can already see the beginnings of this in We can already see the beginnings of this in mobile phone and car electronics marketsmobile phone and car electronics markets
Perils of Remote AdminPerils of Remote Admin
I just don’t want Bill running my home!I just don’t want Bill running my home! His competitors should like it even less!His competitors should like it even less! Even with open standards, there will be Even with open standards, there will be
severe tensions. Plumbing nightmares will severe tensions. Plumbing nightmares will be replaced by call-centre hellbe replaced by call-centre hell
Cynical view: if the equilibrium is set by Cynical view: if the equilibrium is set by customers’ frustration tolerance, more customers’ frustration tolerance, more usable systems means you can sell more usable systems means you can sell more stuff before this point is reachedstuff before this point is reached
Market Demand for Usability?Market Demand for Usability?
‘‘Microsoft has triumphed because it has Microsoft has triumphed because it has given us what we asked for: constant given us what we asked for: constant novelty coupled with acceptable novelty coupled with acceptable stability, rather than the other way stability, rather than the other way around. ... People talk simplicity but around. ... People talk simplicity but buy features and pay the buy features and pay the consequences. Complex features consequences. Complex features multiply hidden costs and erode both multiply hidden costs and erode both efficiency and simplicity.’ (E Tenner, efficiency and simplicity.’ (E Tenner, ‘The Microsoft We Deserve’, NYT)‘The Microsoft We Deserve’, NYT)
Usability and IncentivesUsability and Incentives
User sees his phone banking app not as a User sees his phone banking app not as a Vodafone thing but a Citibank thingVodafone thing but a Citibank thing
If it works, Citibank gets the creditIf it works, Citibank gets the credit If it doesn’t, Vodafone gets the blameIf it doesn’t, Vodafone gets the blame Incentives aren’t right for the app vendor Incentives aren’t right for the app vendor
or the platform vendoror the platform vendor Worse - there are half-a-dozen stages in Worse - there are half-a-dozen stages in
the supply chain. Who’ll do the work?the supply chain. Who’ll do the work?
The Right Abstractions?The Right Abstractions?
Roles, or groups?Roles, or groups? Brands?Brands? Locations? Locations? Other restrictions on state?Other restrictions on state? People? (biometrics, nyms?)People? (biometrics, nyms?) Directories, or file types?Directories, or file types? Machine owners, or file creators?Machine owners, or file creators? What does it mean to ‘lock the digital front door’?What does it mean to ‘lock the digital front door’?
Scientific challengeScientific challenge
Computer scientists have spent the last 50 years Computer scientists have spent the last 50 years building tools that help developers get a little bit building tools that help developers get a little bit further up the complexity mountainfurther up the complexity mountain
‘‘Risk thermostat’ - 30% of big projects fail, but Risk thermostat’ - 30% of big projects fail, but they are bigger projects each yearthey are bigger projects each year
But the complexity that now matters most, for But the complexity that now matters most, for building predictably dependable systems, is not building predictably dependable systems, is not from the CPU’s viewpoint but the brain ‘sfrom the CPU’s viewpoint but the brain ‘s
What should we design now instead of What should we design now instead of languages, compilers and CASE tools?languages, compilers and CASE tools?
The Broader AspectsThe Broader Aspects
As everyday objects acquire intelligence, it is as As everyday objects acquire intelligence, it is as if they are under magic spellsif they are under magic spells
Motorola’s phones have magic that stops them Motorola’s phones have magic that stops them working with other firms’ batteriesworking with other firms’ batteries
HP’s printers are under a spell that stops them HP’s printers are under a spell that stops them working with other firms’ inkworking with other firms’ ink
Microsoft’s new IRM stops Office documents Microsoft’s new IRM stops Office documents working with OpenOfficeworking with OpenOffice
Where will it end? How should governments Where will it end? How should governments regulate a world of magic spells?regulate a world of magic spells?
Economics of Information Economics of Information SecuritySecurity
Over the last four years, we have started to Over the last four years, we have started to apply economic analysis to information securityapply economic analysis to information security
Economic analysis often explains security failure Economic analysis often explains security failure better then technical analysis!better then technical analysis!
Information security mechanisms are used Information security mechanisms are used increasingly to support business models rather increasingly to support business models rather than to manage riskthan to manage risk
Economic analysis is also vital for the public Economic analysis is also vital for the public policy aspects of securitypolicy aspects of security
Traditional View of InfosecTraditional View of Infosec
People used to think that the Internet was People used to think that the Internet was insecure because of lack of features – insecure because of lack of features – crypto, authentication, filteringcrypto, authentication, filtering
So engineers worked on providing better, So engineers worked on providing better, cheaper security features – AES, PKI, cheaper security features – AES, PKI, firewalls …firewalls …
About 1999, we started to realize that this About 1999, we started to realize that this is not enoughis not enough
New View of InfosecNew View of Infosec
Systems are often insecure because the people Systems are often insecure because the people who could fix them have no incentive towho could fix them have no incentive to
Bank customers suffer when bank systems allow Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when break privacy; Amazon’s website suffers when infected PCs attack itinfected PCs attack it
Security is often what economists call an Security is often what economists call an ‘externality’ – like environmental pollution‘externality’ – like environmental pollution
Security is also increasingly used to support Security is also increasingly used to support business models by locking in customers, tying business models by locking in customers, tying products etcproducts etc
Current Security Economics Current Security Economics Research TopicsResearch Topics
Understand differences between growing and mature Understand differences between growing and mature markets (bargains then rip-offs; security ignored then markets (bargains then rip-offs; security ignored then later used to lock in customers)later used to lock in customers)
Why do people say they value privacy but act as if they Why do people say they value privacy but act as if they don’t?don’t?
Do we spend too little on security, or too much?Do we spend too little on security, or too much? Where are the incentives misaligned, and why?Where are the incentives misaligned, and why? What’s the appropriate government policy?What’s the appropriate government policy? Economics and Security Resource Page – Economics and Security Resource Page – www.www.clcl
.cam.ac..cam.ac.ukuk/~rja14//~rja14/econsececonsec.html.html
The Soft WorldThe Soft World
Effects of technology are always overestimated Effects of technology are always overestimated short-term but underestimated long-termshort-term but underestimated long-term
Putting CPUs and comms into every thing Putting CPUs and comms into every thing costing over a few bucks will change the worldcosting over a few bucks will change the world
Software will provide ever more of the valueSoftware will provide ever more of the value Many industries will become ever more like the Many industries will become ever more like the
software industrysoftware industry We’ll get the good (flexibility), the bad We’ll get the good (flexibility), the bad
(frustration) and the ugly (monopolies)(frustration) and the ugly (monopolies)
ConclusionsConclusions
Ubiquitous computing presents many security Ubiquitous computing presents many security research opportunitiesresearch opportunities
We can apply existing work in compartmented We can apply existing work in compartmented operating systems, API security, crypto etcoperating systems, API security, crypto etc
We face serious new challenges in security We face serious new challenges in security usability and in maintainabilityusability and in maintainability
Economic and policy aspects are also nontrivial - Economic and policy aspects are also nontrivial - security is a socio-technical systemsecurity is a socio-technical system
Understanding the interplay of technical, design Understanding the interplay of technical, design and policy issues is the really hard challengeand policy issues is the really hard challenge