Share PowerPoint. Anywhere!

InvitedTalk2

Uploaded from authorPOINT Lite
Download as Download Not Available PPT
Presentation Description

No description available

Comments Sign in to comment
Uploaded By:

Mark Inappropriate
 Add to your favorites
Embed URL Thumbnail


Customize embed|   WordPress Embed

Like authorSTREAM?


You can vote once a day till December
10th, Vote Now!
What's up on authorSTREAM?
Contribute a Slide
Views: 11
Like it  ( Likes) Dislike it  ( Dislikes)
Added: April 10, 2008 This presentation is Public
Presentation Category :Education
Tags Add Tags
Presentation StatisticsNew!
Views on authorSTREAM: 11
Presentation Transcript

What does ‘Security’ mean for Ubiquitous Applications? : What does ‘Security’ mean for Ubiquitous Applications? Ross Anderson Cambridge


Outline of Talk : Outline of Talk Security can help to control technical complexity, by limiting interaction It can help control complexity of use - security usability will be a big growth area It is also about conflict - about tussles for commercial control, user privacy First, let’s look at some ubiquitous applications


Ubicomp (1) - Smart Dust : Ubicomp (1) - Smart Dust Thousands of motes deployed in a self-organizing network for surveillance This is in conflict with the interests of the party under surveillance There may be capable opponents - enemies who deploy ‘black dust’ against your ‘white dust’ Also privacy issues - e.g. if US law prevents monitoring US citizens without a warrant Security partly ‘military’, partly regulatory


Ubicomp (2) - RFID : Ubicomp (2) - RFID Passive tags returning 128-bit unique ID Story about ‘refilling your fridge’ - but at heart, RFID is about controlling supply chains US privacy row - can a third party scan not just what you’re wearing but where you bought it, when and for how much? Triggered widespread resistance - from trade-policy wonks to fundamentalist Christians Serious political objection: RFID enables manufacturers to clamp down on grey market trading, in contravention of EU Single Market


Ubicomp (3) - in the Car : Ubicomp (3) - in the Car Latest cars have 40-50 CPUs, CANBUS, Bluetooth Closest so far to Ubicomp ideal of computers embedded invisibly everywhere - with a serious attempt to make them usable, automatic etc Growing problem of feature interaction - multiple administrators / ‘owners’ Worries about platform vulnerability From the privacy angle, the combination of GSM, GPS, logging, road pricing and DRM is bad stuff Also, issues with aftermarket control


Ubicomp (4) - The Digital Home : Ubicomp (4) - The Digital Home Vision (e.g. Toshiba U-home) - appliances talk via UWB, 802.11, Bluetooth, IR, RFID Home gateway talks broadband to the world But trust management gets complex! Issues of policy - multiple domains (do teens have privacy from parents and/or vice-versa?) Issues of practice - how do you mate the access control /DRM systems of multiple platforms? How can my mother manage all this stuff?


A Possible Framework : A Possible Framework One machine - standard computability, complexity theories; programming tools One person - applied psychology One person, one machine: HCI One machine, many people: access controls One person, many machines (or: many apps) - feature interaction, conflict, more HCI issues Many people, many machines: more complexity, more conflict, affecting more and more sectors


How can the security engineer help? : How can the security engineer help? First goal: control system complexity from the programmer’s viewpoint Feature interaction is the fastest-growing source of new problems We can help ensure that one application only interacts with another via the official interface (compartmented operating systems, ‘Trusted Computing’) We can also help ensure that the application programming interface can’t be manipulated (API security - see my papers with Mike Bond)


VSM Attack (2000) : VSM Attack (2000) Top-level crypto keys exchanged between banks in several parts carried by separate couriers, which are recombined using the exclusive-OR function Source HSM Dest HSM KP1 KP2 Repeat twice… User->HSM : Generate Key Component HSM->Printer : KP1 HSM->User : { KP1 }ZCMK Combine components… User->HSM : { KP1 }ZCMK ,{ KP2 }ZCMK HSM->User : { KP1 xor KP2 }ZCMK Repeat twice… User->HSM : KP1 HSM->User : { KP1 }ZCMK Combine components… User->HSM : { KP1 }ZCMK ,{ KP2 }ZCMK HSM->User : { KP1 xor KP2 }ZCMK


API attack: XOR To Null Key : API attack: XOR To Null Key A single operator could feed in the same part twice, which cancels out to produce an ‘all zeroes’ test key. PINs could be extracted in the clear using this key Other API manipulation attacks were found on essentially all crypto processors on the market! Combine components… User->HSM : { KP1 }ZCMK , { KP1 }ZCMK HSM->User : { KP1 xor KP1 }ZCMK KP1 xor KP1 = 0


New Research Problems? : New Research Problems? Turning TC / API security ideas into working products will be non-trivial Another black hole: maintainability E.g. at present most security literature is about bootstrapping into a secure state - once Alice and Bob share a key, we head for the pub! Bugs in products are not usually fixed - you are expected to buy a new mobile phone every year. But this won’t work for air-conditioners!


More on Maintainability : More on Maintainability Parallel: early software engineering work was on producing large programs from scratch; now it’s about evolution. Theses are no longer written on the ‘waterfall model’ but on ‘extreme programming’ We have almost no literature on security resilience, and on automatic recovery after compromise Our own tentative ideas: ‘Smart Trust for Smart Dust’, Anderson, Chan and Perrig, ICNP 2004 But we will need much, much more!


How can we help? (2) : How can we help? (2) Second goal: control system complexity from the user’s viewpoint The current bottleneck is security usability It’s taken 30 years to come up with (barely adequate) ways of managing the millions of bits of security state in a typical company The home is more complex still! Meanwhile, consumers have difficulty with VCR programming and basic PC admin


Ubicomp and Usability : Ubicomp and Usability U-Vision - embedded devices will be easy to use, thus eliminating the PC’s frustrations More sober view (Odlyzko) - trade-off between flexibility and ease of use is different for different users (and same user at different times/tasks) Norman’s ‘human-centered engineering’ assumes mature products (a long way off!) ‘We will still be frustrated, but at a higher level of functionality, and there will be more of us willing to be frustrated’


Odlyzko’s warning : Odlyzko’s warning Home environment is likely to be more complicated than today’s office environment, and home users generally less knowledgeable We may have to outsource the setup and maintenance of home appliances to experts - that is, remote administration Users given varying degrees of control, ‘depending on skills and trustworthiness’ We can already see the beginnings of this in mobile phone and car electronics markets


Perils of Remote Admin : Perils of Remote Admin I just don’t want Bill running my home! His competitors should like it even less! Even with open standards, there will be severe tensions. Plumbing nightmares will be replaced by call-centre hell Cynical view: if the equilibrium is set by customers’ frustration tolerance, more usable systems means you can sell more stuff before this point is reached


Market Demand for Usability? : Market Demand for Usability? ‘Microsoft has triumphed because it has given us what we asked for: constant novelty coupled with acceptable stability, rather than the other way around. ... People talk simplicity but buy features and pay the consequences. Complex features multiply hidden costs and erode both efficiency and simplicity.’ (E Tenner, ‘The Microsoft We Deserve’, NYT)


Usability and Incentives : Usability and Incentives User sees his phone banking app not as a Vodafone thing but a Citibank thing If it works, Citibank gets the credit If it doesn’t, Vodafone gets the blame Incentives aren’t right for the app vendor or the platform vendor Worse - there are half-a-dozen stages in the supply chain. Who’ll do the work?


The Right Abstractions? : The Right Abstractions? Roles, or groups? Brands? Locations? Other restrictions on state? People? (biometrics, nyms?) Directories, or file types? Machine owners, or file creators? What does it mean to ‘lock the digital front door’?


Scientific challenge : Scientific challenge Computer scientists have spent the last 50 years building tools that help developers get a little bit further up the complexity mountain ‘Risk thermostat’ - 30% of big projects fail, but they are bigger projects each year But the complexity that now matters most, for building predictably dependable systems, is not from the CPU’s viewpoint but the brain ‘s What should we design now instead of languages, compilers and CASE tools?


The Broader Aspects : The Broader Aspects As everyday objects acquire intelligence, it is as if they are under magic spells Motorola’s phones have magic that stops them working with other firms’ batteries HP’s printers are under a spell that stops them working with other firms’ ink Microsoft’s new IRM stops Office documents working with OpenOffice Where will it end? How should governments regulate a world of magic spells?


Economics of Information Security : Economics of Information Security Over the last four years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis! Information security mechanisms are used increasingly to support business models rather than to manage risk Economic analysis is also vital for the public policy aspects of security


Traditional View of Infosec : Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough


New View of Infosec : New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it Security is often what economists call an ‘externality’ – like environmental pollution Security is also increasingly used to support business models by locking in customers, tying products etc


Current Security Economics Research Topics : Current Security Economics Research Topics Understand differences between growing and mature markets (bargains then rip-offs; security ignored then later used to lock in customers) Why do people say they value privacy but act as if they don’t? Do we spend too little on security, or too much? Where are the incentives misaligned, and why? What’s the appropriate government policy? Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html


The Soft World : The Soft World Effects of technology are always overestimated short-term but underestimated long-term Putting CPUs and comms into every thing costing over a few bucks will change the world Software will provide ever more of the value Many industries will become ever more like the software industry We’ll get the good (flexibility), the bad (frustration) and the ugly (monopolies)


Conclusions : Conclusions Ubiquitous computing presents many security research opportunities We can apply existing work in compartmented operating systems, API security, crypto etc We face serious new challenges in security usability and in maintainability Economic and policy aspects are also nontrivial - security is a socio-technical system Understanding the interplay of technical, design and policy issues is the really hard challenge

Contribute to World Peace
  • Account

  • RSS

  • Browse

  • Help & Info

  • Why authorSTREAM
Catch the buzz on authorSTREAM | Teach and Learn Online in a Free Virtual Classroom on WiZiQ
Copyright © 2002-2008 authorSTREAM. All rights reserved.