- Email: [email protected]
An Angel on your shoulder
Column
An Angel on your shoulder Dr Steve Moyle, Secerno How do you react when you are provoked? Do you say things you later regret? Would you prefer that there was a ministering angel perched upon your shoulder vetting everything you hear or say? This is not uncommon. We all recognize when family, friends and colleagues behave out of character. I see my son’s face haze over with a red-mist after being teased by his sister, just before she gets him to spill the beans on his most cherished secrets. Computer systems are no different. Attackers are people too. Increasingly, their attacks are becoming personal – targeted at your systems to get your data. Now is the time to seek and find your ministering angel. Users and attackers provoke your systems in ways that their designers did not intend, and they do things which may have undesirable consequences. Perhaps they will gush confidential information, corrupt records, maybe provide users with higher levels of access than they deserve, or even shutdown your 24/7 database services. We have seen a growing body of evidence that attackers are achieving these undesirable outcomes – by exploiting buffer overflow vulnerabilities, or through using SQL Injection and inference attacks – by insider attacks and social engineering.
Steve Moyle
Language barriers
Languages typically provide an infinite number of acceptable statements to be expressed, making it even more difficult to determine the provocative from the benign.
36
APRIL 2007
At the Las Vegas security conference in August 2006, David Litchfield was reported saying: “In my opinion, database security is riddled with holes and it’s the biggest problem we face in IT today. Organizations should be aware that the latest SQL injection threat, called an inference attack, may be able to deliver up their databases on a silver platter.” The solution lies in understanding the communications between our system components. How would a ministering angel recognise that we were being provoked? The provocations themselves would be transmitted in the form of a language that the recipient recognises (e.g. English). However, languages typically provide an infinite number of acceptable statements to be expressed, making it even more difficult to determine the provocative from the benign. Even worse, a statement that is provocative in one situation is acceptable in another – context matters. This angel of ours has a lot of work to do to shield us from our attackers’ taunts and our rash replies.
On a positive note The good news is that computer communication differs from natural language, since computers operate on precisely-defined rules. Recent developments have found such an angel in the realm of computing. Techniques have emerged that learn to measure/ understand that the sub-space of language is normally used by a system (in a particular context) - so that only this part of the language is allowed. The breakthrough has potentially wide-ranging consequences. Kurt Gödel, the famous early 20th century mathematician, teaches us that there is no way to prove in advance absolutely everything that a system is capable of doing. Moreover, in general, it is not possible to know that there are no vulnerabilities in a system. This is known as the undecidability result, which was proven mathematically by the war-time genius Alan Turing. The ministering angel turns the tables. It offers a fundamentally new way to redress the balance.
COLUMN DNA Consider the database situation. Applications interact with a database using the ubiquitous scripting language SQL (Structured Query Language). The language space of SQL happens to be infinite. However any particular application-database pair does not use this full infinite space, and tends to confine itself to the areas that its unique programmed functionality needs. Another application-database pair is in a similar situation, but due to the nature of its tasks, utilises a different subspace of the SQL language. The term Dynamic Normal Activity (DNA) can be used to describe this property. Just as DNA controls the evolution of living organisms, Dynamic Normal Activity encapsulates the understanding that allows you to control live operations of your business systems. Having identified the Dynamic Normal Activity SQL subspace, the angel can easily spot different forms of provocation where the database is being asked questions that we would prefer it never answered. For example, that of an adversary crafting a targeted attack on an unsuspecting database using SQL injection or inference attacks. At a Qinetiq conference in June 2006, Dr Steve Marsh of the Cabinet Office described the common situation of the disparity between functionality in the computer system as designed; the functionality that was tested and shipped; and that used. Within such a gap lies a space of security uncertainty – what can really be achieved by using this part of the system?
to be run – has been replaced by a network connection and terminal access. No longer is our system’s human operator acting as our angel – it’s vetting everything that is run on the mainframe. Yet the legacy programs that were designed for this environment may still be at the core of your business operations.
No longer is our system’s human operator acting as our angel – it’s vetting everything that is run on the mainframe. A similar trend is happening in the realm of server computers, as businesses need to deliver increasingly valuable business data (e.g. B2B transactions) across the internet and intranet, often using architectures whose security properties were designed to provide low-risk information (e.g. company brochures available via a web browser).
Taking control
We want to identify the no-longer needed features, isolate them, and remove them from our live environments in a controlled fashion. Out with the old, in with the new A further worry is that over time, features get added and only rarely are “stale” features removed for fear of breaking something. The old adage “If it ain’t broke don’t fix it” is often cited, but actually, each feature in a software system causes an expansion in the system’s vulnerability surface. We want to identify the no-longer needed features, isolate them, and remove them from our live environments in a controlled fashion. Implicit security features continue to be forgotten as legacy systems are connected to far reaching networks. The trusted mainframe environment where punch cards were once handed to an operator – who visually identified the person requesting the program
At this point we can see that by improving the understanding of operational systems – both legacy and new systems – we can begin to control and protect the system. We can pro-actively strive towards ideal behaviour, as we monitor and manage potential security issues around actual measured behaviour. This understanding can be achieved automatically by analyzing conversations between components in the systems – by measuring the DNA – for example between an application and the valuable database. A virtuous cycle can be built from measuring conversations, learning from conversations, understanding the consequences of conversations, improving system interactions, and measuring again. The protection of computer systems uniquely depends not only on the systems themselves, but also on how those systems are used – by people and by other computers. Testing cannot prove a system or detect all its vulnerabilities. Another approach is needed: an intelligent approach to monitoring the conversations between the components is required – to measure their DNA. These components converse in pre-agreed formats (computer languages and protocols). For the first time, it is now possible to deploy monitoring and prevention systems that accurately learn what a safe conversation is for each particular application. Armed with this information it is possible for application and database owners to improve their systems continuously over time. This is the ministering angel that can give you the edge over attacks targeted at your systems to get your data.
APRIL 2007
37
An Angel on your shoulder Dr Steve Moyle, Secerno How do you react when you are provoked? Do you say things you later regret? Would you prefer that there was a ministering angel perched upon your shoulder vetting everything you hear or say? This is not uncommon. We all recognize when family, friends and colleagues behave out of character. I see my son’s face haze over with a red-mist after being teased by his sister, just before she gets him to spill the beans on his most cherished secrets. Computer systems are no different. Attackers are people too. Increasingly, their attacks are becoming personal – targeted at your systems to get your data. Now is the time to seek and find your ministering angel. Users and attackers provoke your systems in ways that their designers did not intend, and they do things which may have undesirable consequences. Perhaps they will gush confidential information, corrupt records, maybe provide users with higher levels of access than they deserve, or even shutdown your 24/7 database services. We have seen a growing body of evidence that attackers are achieving these undesirable outcomes – by exploiting buffer overflow vulnerabilities, or through using SQL Injection and inference attacks – by insider attacks and social engineering.
Steve Moyle
Language barriers
Languages typically provide an infinite number of acceptable statements to be expressed, making it even more difficult to determine the provocative from the benign.
36
APRIL 2007
At the Las Vegas security conference in August 2006, David Litchfield was reported saying: “In my opinion, database security is riddled with holes and it’s the biggest problem we face in IT today. Organizations should be aware that the latest SQL injection threat, called an inference attack, may be able to deliver up their databases on a silver platter.” The solution lies in understanding the communications between our system components. How would a ministering angel recognise that we were being provoked? The provocations themselves would be transmitted in the form of a language that the recipient recognises (e.g. English). However, languages typically provide an infinite number of acceptable statements to be expressed, making it even more difficult to determine the provocative from the benign. Even worse, a statement that is provocative in one situation is acceptable in another – context matters. This angel of ours has a lot of work to do to shield us from our attackers’ taunts and our rash replies.
On a positive note The good news is that computer communication differs from natural language, since computers operate on precisely-defined rules. Recent developments have found such an angel in the realm of computing. Techniques have emerged that learn to measure/ understand that the sub-space of language is normally used by a system (in a particular context) - so that only this part of the language is allowed. The breakthrough has potentially wide-ranging consequences. Kurt Gödel, the famous early 20th century mathematician, teaches us that there is no way to prove in advance absolutely everything that a system is capable of doing. Moreover, in general, it is not possible to know that there are no vulnerabilities in a system. This is known as the undecidability result, which was proven mathematically by the war-time genius Alan Turing. The ministering angel turns the tables. It offers a fundamentally new way to redress the balance.
COLUMN DNA Consider the database situation. Applications interact with a database using the ubiquitous scripting language SQL (Structured Query Language). The language space of SQL happens to be infinite. However any particular application-database pair does not use this full infinite space, and tends to confine itself to the areas that its unique programmed functionality needs. Another application-database pair is in a similar situation, but due to the nature of its tasks, utilises a different subspace of the SQL language. The term Dynamic Normal Activity (DNA) can be used to describe this property. Just as DNA controls the evolution of living organisms, Dynamic Normal Activity encapsulates the understanding that allows you to control live operations of your business systems. Having identified the Dynamic Normal Activity SQL subspace, the angel can easily spot different forms of provocation where the database is being asked questions that we would prefer it never answered. For example, that of an adversary crafting a targeted attack on an unsuspecting database using SQL injection or inference attacks. At a Qinetiq conference in June 2006, Dr Steve Marsh of the Cabinet Office described the common situation of the disparity between functionality in the computer system as designed; the functionality that was tested and shipped; and that used. Within such a gap lies a space of security uncertainty – what can really be achieved by using this part of the system?
to be run – has been replaced by a network connection and terminal access. No longer is our system’s human operator acting as our angel – it’s vetting everything that is run on the mainframe. Yet the legacy programs that were designed for this environment may still be at the core of your business operations.
No longer is our system’s human operator acting as our angel – it’s vetting everything that is run on the mainframe. A similar trend is happening in the realm of server computers, as businesses need to deliver increasingly valuable business data (e.g. B2B transactions) across the internet and intranet, often using architectures whose security properties were designed to provide low-risk information (e.g. company brochures available via a web browser).
Taking control
We want to identify the no-longer needed features, isolate them, and remove them from our live environments in a controlled fashion. Out with the old, in with the new A further worry is that over time, features get added and only rarely are “stale” features removed for fear of breaking something. The old adage “If it ain’t broke don’t fix it” is often cited, but actually, each feature in a software system causes an expansion in the system’s vulnerability surface. We want to identify the no-longer needed features, isolate them, and remove them from our live environments in a controlled fashion. Implicit security features continue to be forgotten as legacy systems are connected to far reaching networks. The trusted mainframe environment where punch cards were once handed to an operator – who visually identified the person requesting the program
At this point we can see that by improving the understanding of operational systems – both legacy and new systems – we can begin to control and protect the system. We can pro-actively strive towards ideal behaviour, as we monitor and manage potential security issues around actual measured behaviour. This understanding can be achieved automatically by analyzing conversations between components in the systems – by measuring the DNA – for example between an application and the valuable database. A virtuous cycle can be built from measuring conversations, learning from conversations, understanding the consequences of conversations, improving system interactions, and measuring again. The protection of computer systems uniquely depends not only on the systems themselves, but also on how those systems are used – by people and by other computers. Testing cannot prove a system or detect all its vulnerabilities. Another approach is needed: an intelligent approach to monitoring the conversations between the components is required – to measure their DNA. These components converse in pre-agreed formats (computer languages and protocols). For the first time, it is now possible to deploy monitoring and prevention systems that accurately learn what a safe conversation is for each particular application. Armed with this information it is possible for application and database owners to improve their systems continuously over time. This is the ministering angel that can give you the edge over attacks targeted at your systems to get your data.
APRIL 2007
37