Newsflash: NSA says that absolute security models exist. Oh, wait, that was in 1998. /ht @Cryptomeorg

Cryptome just tweeted this ancient essay:

PDF:

The Inevitability of Failure:
The Flawed Assumption of Security in Modern Computing Environments

Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell
tos@epoch.ncsc.mil
National Security Agency

Although public awareness of the need for secu­rity in computing systems is growing rapidly, current efforts to provide security are unlikely to succeed. Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems. In reality, the need for secure operating systems is growing in today’s com­ puting environment due to substantial increases in connectivity and data sharing. The goal of this paper is to motivate a renewed interest in secure operating systems so that future security efforts may build on a solid foundation.

The paper is a relic of its era; a one-size-fits-all approach to security policy – profoundly hierarchical and tunnel-visioned.

The unpalatable truth which the paper avoided addressing – perhaps we did not realise it back then – is that policy drives security, not the other way around.

There’s nothing wrong with doing “secure operating system research” – quite the opposite, I’d love to be paid to fart around with platforms that start with a threat model and then implement novel ways of ensuring that bad people get to achieve nothing with whatever you build.

But Mandatory Access Control and Trusted Paths are fiddly to control and are also means to enable bad things happening – really bad things like censorship or – worse – disintermediating the user from his machine, by which I mean third parties being permitted to mess around with the content you’ve ostensibly purchased on the hardware you have also ostensibly purchased.

In 1997 – similar era – at a CSI conference I gave a presentation on website Active Content which largely still stands today; the technologies have changed a bit (more Javascript, less Java/ActiveX) but otherwise it still works 15 years later.

After a while one must wonder that if the world has not collapsed in spite of 15+ years of these problems remaining unsolved, perhaps this indicates something?

Perhaps lack of security is not and never has been or will be the cause of the death of the Internet?

Absolute security is a myth because there is no universal, one-size-fits-all threat model, and humanity is very good at living without the safetynet of mandatory access control and trusted paths (etc) – and surviving the occasional fall.

The internet works because people by and large are mostly-honest and mostly-good; that’s not going change terribly quickly if at all.

For all future authors: to decry an effective, functioning reality as “insecure” is a matter of perspective, and the onus should be placed upon the speaker to demonstrate beyond the claim that “bad things could happen” that instead we all are losing out on economically and humanly desirable opportunity that somehow we are currently entirely missing.

2 thoughts on “Newsflash: NSA says that absolute security models exist. Oh, wait, that was in 1998. /ht @Cryptomeorg

  1. Dave Walker

    “The paper is a relic of its era; a one-size-fits-all approach to security policy – profoundly hierarchical and tunnel-visioned.”

    …and also, quite probably, heavily influenced by the culture of the organisation from whence it came. It would be enlightening to see whether that culture has changed, in the intervening time.

    “The unpalatable truth which the paper avoided addressing – perhaps we did not realise it back then – is that policy drives security, not the other way around.”

    Yup – and in a sensible world, threat models should have a big influence on policy. So, as you rightly say, “there is no universal, one-size-fits-all threat model” – therefore, as threat (and risk appetite) should drive policy which in turn drives security, there might actually be an absolute security model for a given wholly cut-and-dried, widely-applicable threat model – but if you can find such a threat model, you’re doing better than me.

    I may well be one of the UK’s bigger advocates of Mandatory Access Control, but I accept that, like most tools, it works extremely well in some contexts but not others; the question of whether it’s appropriate in any given context, is down (as well as threat modelling) to who has what privilege, and also who’s asking.

    When you start getting from Trusted Path and protective marking schemas involving sensitivities as well as domains, the biggest problem is that the human mind seems to be remarkably poor at doing data classification.

    “Perhaps lack of security is not and never has been or will be the cause of the death of the Internet?”

    It’s survived the influx of Microsoft Windows systems, so far – you therefore have a good point. Whether it would survive universal lack of security, is another matter.

    “After a while one must wonder that if the world has not collapsed in spite of 15+ years of these problems remaining unsolved, perhaps this indicates something?”

    Well, yeah; the Internet is treated as what it is (and sometimes people get rude awakenings, on that front). For the most part, it seems to me that information which keeps the world running stays on private networks, as even though we have decent crypto, enough people still have threat models which consider Internet comms disruption (or the risk of decent crypto ceasing to be decent, over time) unduly risky.

    Where information finds its way onto the Internet and shouldn’t be there – WikiLeaks, old SCADA systems, backdoors of whatever nature – the media still predicts the sky will fall. It may be ironic, but lack of media doom-mongering in the face of normal Internet operation may be a good but tacit indicator of what the Internet is accepted as being appropriate for…

    Reply
  2. Vic WInkler

    Dave

    Your last sentence is where I have a problem, namely the gap between what is advisable and the state-of-practice.

    The evidence is that the gap is recognized but expected cost keeps it from being addressed.

    It’s good to see you kicking tires out here.
    vic

    Reply

Leave a Reply