Advertisement

Dancing with the Adversary: A Tale of Wimps and Giants

  • Virgil GligorEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8809)

Abstract

The long-standing requirement that system and network designs must include accurate and complete adversary definitions from inception remains unmet on commodity platforms; e.g., on commodity operating systems, network protocols, and applications. A way to provide such definitions is to (1) partition commodity software into “wimps” (i.e., small software components with rather limited function and high-assurance security properties) and “giants” (i.e., large commodity software systems, with low/no assurance of security); and (2) limit the obligation of definining the adversary to wimps while realistically assuming that the giants are adversary controlled. We provide a structure for accurate and complete adversary definitions that yields basic security properties and metrics for wimps. Then we argue that wimps must collaborate (“dance”) with giants, namely compose with adversary code across protection interfaces, and illustrate some of the salient features of the wimp-giant composition. We extend the wimp-giant metaphor to security protocols in networks of humans and computers where compelling services, possibly under the control of an adversary, are offered to unsuspecting users. Although these protocols have safe states whereby a participant can establish temporary beliefs in the adversary’s trustworthiness, reasoning about such states requires techniques from other fields, such as behavioral economics, rather than traditional security and cryptography.

Keywords

Security Property Attack Strategy Cryptographic Scheme Attack Graph Basic System Service 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgments

This paper benefitted from discussions and joint work with Min Suk Kang, Miao Yu, Jun Zhao, and Zongwei Zhou. Their insights are gratefully acknowledged. This work was supported in part by the National Science Foundation (NSF) under grant CCF-0424422 and a gift from Intel Corporation at CyLab. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity.

References

  1. 1.
    Amoroso, E.G.: Fundamentals of Computer Security Technology, pp, 15–29. Prentice-Hall (1994) ISBN0131089293Google Scholar
  2. 2.
    Bishop, M., Dilger, M.: Checking for race conditions in file accesses. Comput. Syst. 9(2), 131–152 (1996)Google Scholar
  3. 3.
    van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: FlipIt: the game of “Stealthy Takeover.” J. Cryptology 26(4), 655–713 (2013). (also in IACR Cryptology ePrint Archive, Report 2012/103, 2012)Google Scholar
  4. 4.
    Gligor, V.D., Lindsay, B.G.: Object migration and authentication. IEEE Trans. Softw. Eng. SE–5(6), 607–611 (1979)CrossRefGoogle Scholar
  5. 5.
    Gligor, V.D.: On the evolution of adversary models in security protocols (or Know Your Friend and Foe Alike). In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 276–283. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Gligor, V.D.: Security limitations of virtualization and how to overcome them. In: Proceedings of the 18th International Workshop on Security Protocols (SPW-18). LNCS, Cambridge University, UK, vol. 7061. Springer, March 2010Google Scholar
  7. 7.
    Gligor, V., Wing, J.M.: Towards a theory of trust in networks of humans and computers (transcript of discussion). In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 223–242. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Gupta, S., Gligor, V.D.: Experience with a penetration analysis method and tool. In: Proceedings of the 1992 National Computer Security Conference, Baltimore, Maryland, pp. 165–183 (1992)Google Scholar
  9. 9.
    Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Lee, D.T., Shieh, S.P., Tygar, J.D. (eds.) Computer Security in the 21st Century, chap. 8, pp. 109–137. Springer, New York (2005)CrossRefGoogle Scholar
  10. 10.
    Hutchins, E.M., Clopper, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion Kill Chains. In: Proceedings of the 6th Annual International Conference on Information Warfare and Security, Washington, DC (2011)Google Scholar
  11. 11.
    Kim, T.H.-J., Gligor, V., Perrig, A.: Street-level trust semantics for attribute authentication (transcript of discussion). In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2012. LNCS, vol. 7622, pp. 96–115. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Lampson, B.W.: Software components: Only the giants survive. In: Computer Systems: Theory, Technology, and Applications, pp. 137–145. Springer, New York (2004)Google Scholar
  13. 13.
    Lampson, B.W.: Usable security: how to get it. Commun. ACM 52, 25–27 (2009)CrossRefGoogle Scholar
  14. 14.
    Li, Y., McCune, J., Perrig, A.: VIPER: verifying the integrity of peripherals firmware. In: Proceedings of the ACM Conference on Computer and Communications Security (2011)Google Scholar
  15. 15.
    Manadhata, P.K., Karabulut, Y., Wing, J.M.: Report: measuring the attack surfaces of enterprise software. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 91–100. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    McCune, J., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: efficient TCB reduction and attestation. In: CMU-CyLab-09-003, March, 2009. (also in Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2010)Google Scholar
  18. 18.
    Parno, B., McCune, J.M., Perrig, A.: Bootstrapping trust in commodity computers. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2010Google Scholar
  19. 19.
    Rogaway, P.: On the role definitions in and beyond cryptography. In: Maher, M.J. (ed.) ASIAN 2004. LNCS, vol. 3321, pp. 13–32. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Rushby, J.M.: Separation and Integration in MILS (The MILS Constitution). Technical report, SRI-CSL-TR-08-XX, Feb 2008Google Scholar
  21. 21.
    Parno, B., Lorch, J., Douceur, J., Mickens, J., McCune, J.: Memoir: practical state continuity for protected modules. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)Google Scholar
  22. 22.
    Vasudevan, A., Chaki, S., Jia, L., McCune, L.J., Newsome, J., Datta, A.: Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework. In: Proceedings of the IEEE Symposium on Security and Privacy (2013)Google Scholar
  23. 23.
    Vasudevan, A., Parno, B., Qu, N., Gligor, V., Perrig, A.: Lockdown: a safe and practical environment for security applications. In: CMU-CyLab-09-011, 14 July 2009. (Also in Proceedings of TRUST, Vienna, Austria, 2012)Google Scholar
  24. 24.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  25. 25.
    Weiss, J.D.: A system security engineering process. In: Proceedings of the 14th National Computer Security Conference, Baltimore, Maryland (1991)Google Scholar
  26. 26.
    Zhao, J., Gligor, V., Perrig, A., Newsome, J.: ReDABLS: revisiting device attestation with bounded leakage of secrets. In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J., Bonneau, J. (eds.) Security Protocols 2013. LNCS, vol. 8263, pp. 94–114. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  27. 27.
    Zhou, Z., Gligor, V., Newsome, J., McCune, J.: Building verifiable trusted path on commodity x86 computers. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)Google Scholar
  28. 28.
    Zhou, Z., Han, J., Lin, Y.-H., Perrig, A., Gligor, V.: KISS: “key it simple and secure” corporate key management. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) TRUST 2013. LNCS, vol. 7904, pp. 1–18. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  29. 29.
    Zhou, Z., Miao, Y.: Dancing with giants: wimpy kernels for on-demand isolated I/O on commodity platforms. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations