Everything I Needed to Know about Security, I Learned in 1974

David Elliott Bell

Off This Week

With apologies to Robert Fulghum
Look at the Changes Since 1974

Commentary
Career

Commentary
Prologue
- Multics papers, 1965 FJCC
- Ware Report, 11 April 1970
- Glaser Panel / Anderson Report, October 1972
© David Elliott Bell • 2009, 2010

Commentary
Ware Report

© David Elliott Bell • 2009, 2010

Commentary
Anderson Report

© David Elliott Bell • 2009, 2010

Commentary
Nature of a Good "Model"
- Generalization of a full design
- Model as a tool
- Model as a delineating definition
© David Elliott Bell • 2009, 2010

Commentary
Model-as-a-Tool
- Descriptive capability
- General results
- Specific solutions
© David Elliott Bell • 2009, 2010

Commentary

Table of Changes in First Four Reports


Vol	State Components	"Security"	State Transition	Theorem
MF	P(S × O) M F	Security Condition rel f	W	Basic Security Theorem
AMM	P(S × O × A) M F	SC rel f (only for r, w modes) *-property	W({ρ₁,…ρ₁₁})	Theorem 4.1: security-preserving *-property-preserving
RMM	P(S × O × A) M F H	security-property for r, w modes revised *-property Trusted subjects Current security level Compatability	W({ρ₁,…ρ₅,ρ₁₂,…ρ₁₇})	For each rule ρ_k, security-property-preserving *-property-preserving
UE&MI	P(S × O × A) M F H	simple-security-property -property discretionary-security-property Multics control*	W({R1, … R11})	Theorem A10 for each rule: ss-property-preserving *-property-preserving ds-property-preserving

Commentary

There was actually a lot of change during the analysis and writing that went into the first four volumes of the "Secure Computer Systems" reports, now referred to at the "Bell-La Padula model." Most people are only exposed to the last volume, "Unified Exposition and Multics Interpretation," and are thus not exposed to the most important lessons of security modeling:

Development of a tool set requires tinkering.
Need for change can come from pure thinking or (more frequently) from engineering application of the existing tool set.
With a pretty-complete tool set, additional modeling is only required in exceptional circumstances:

Too large a conceptual leap from tool set to the target situation
A new state-transition
A new context

Conceptual Thinking + Engineering

Commentary

Wrong Roles
- Government is rotten at building and maintaining systems
- Private sector is rotten at developing real security
© David Elliott Bell • 2009, 2010

Commentary
Computer Security Initiative

© David Elliott Bell • 2009, 2010

Commentary
Principles in TCSEC
- Define "security"
- Good conceptual design
- Faithful implementation
- Write it down
- Check your work
- Known counter-measures
- Difficult to address new issues in a timely fashion
© David Elliott Bell • 2009, 2010

Commentary
Trusted Computer System Evaluation Criteria

© David Elliott Bell • 2009, 2010

Commentary

The construction of the TCSEC was an exercise in giving partial credit. At the outset, the-best-security-we-know was posted at the high end: A1. The development of the lower levels was a matter of weakening the requirements in a rational fashion, down to C2, which was characterized as "best commercial practice." C2 (and its tarted up sibling, B1) were characterized as adequate to keep order among cooperating parties.

While everyone knew that market-forces-produced systems were insufficient for good security, the plan of providing partial credit and determining which situations could get by with lower security provided a transition path. Over time, the needed security features and assurances could gradually become commercially mainstream. This did work, 'though not as completely as was hoped.
Lessons Endure, Even with . . .
- Aperiodic modifications to the modeling tool kit
- The problem with networks
  - Become more common at publication of TCSEC, but
  - Without 20 years' experience in their security
© David Elliott Bell • 12 April 2006

Commentary

Modeling Developments


Situation	Interesting Aspect
SCOMP evaluation	Rule "restrictions"
BLACKER Phase 1	Network system composed of three types of components
A Network Interpretation	objects = (subject, subject) [liaison] trusted subjects generalized with a-min & v-max
Security Policy Modeling the Next-Generation Packet Switch	Application of BLACKER insights to the existing DDN (Internet)
CMCS	Nature of modeling
NIST Sessions	Lattice for financial/engineering/corporate
Guide to MAC	MAC and integrity in a single lattice
LPI	Unavoidability of lattice isomorphisms
TXI	Subject instantiation in a Unix system
PPCW	All documented security policies are lattice policies
MMPM	Comparing unspecified policies in non-deterministic setting
GMI	Generic model interpretation for POSIX 1003.4 and SQL

Commentary

Aperiodically, I was called back to modeling or modeling interpretation tasks during the rest of my career. This table indicates the highlights of those developments.

Isolated Networks

© David Elliott Bell • 2009, 2010
Commentary

The pragmatic approach was to field isolated networks, different ones for each different security classification (or bundle of classifications). The advantage was that all users of the network, through the security clearance process, could be plausibly be viewed as "members of a community," cooperating colleagues.
- Field isolated networks
- Operational necessity for limited connection
Mostly Isolated Networks (MIN)

© David Elliott Bell • 2009, 2010
Commentary

Unfortunately, there are practical needs for the networks to have connections for limited, constrained communication. The diagrams typically leave out the connections between the networks, or use thin lines. But that near-invisibility is illusory. The connection should really be emphasized, rather than minimized. This pair of networks with a connection raises the need to consider what I call the "Computer Security Theorm."
- Tendency to underemphasize the importance of the connections
Intermediate Value Theorem

© David Elliott Bell • 2009, 2010
Commentary

The idea is shown here. If a network attaches two boxes, box A (at level alpha) and box B (at a different level beta not equal to alpha), then some box in the network is multilevel (where "multilevel" means that it manages objects of more than one security level).

The proof sketch is fairly simple and proceeds by contradiction. Suppose not. Then every box on the network operates at a single security level. Then on any path from A to B, each box operates at the same level as the one preceding. That means that alpha, A's level, is the same as beta, B's level, a contradiction.
- Moving from one level to another transits some multilevel node
- Will the multilevel node be weak? or strong?
MIN Security

© David Elliott Bell • 2009, 2010
Commentary

Thus, in our MIN situation, the connected networks are a network. If each of the networks is single-level, then the multilevel box must be on the thin-line connection. MIN Security is posited in the boxes that mostly-isolate the networks. We'd like to think that the operational computers in those connections are the strongest ones we know how to make, but such is not the case.
- MIN security relies on the thin lines between networks
- Systems connecting the networks are too weak for their job
21^st Century Challenges
- No effective champion
- No selfless acts of security
- Hard-won accomplishments at risk
- Government competes with industry
© David Elliott Bell • 2009, 2010

Commentary
What Can We Do?
- Tell ourselves the truth
- Beware of those who claim we are safe and secure
- Utilize precious resources whenever and wherever appropriate
© David Elliott Bell • 2009, 2010

Commentary
Be Cautious of Specious Pronouncements
- "We tried computer security but it didn't work."
- "MLS on the desktop isn't practical."
- "Government-built systems never work out in the long term. We have to use commercial systems."
- "We're using 'high assurance' products now."
- "We haven't seen that in our system."
- "We could explain why it's okay, but the results are classified."
- "I'd like to see you break into the system the way I've configured it."
© David Elliott Bell • 2009, 2010

Commentary
Reference Implementations

© David Elliott Bell • 2009, 2010

Commentary

Consider a Yahoo!-like situation, with file servers, simple static web servers, simple SeaViews-like DBMS, and finally dynamic web servers. Also overlay thin-client architectures where appropriate. None of this stretches any envelope.

Attaching that Yahoo!-like portal to two (or more) MINs changes the security posture entirely. The market-driven, "please cooperate" solutions fall short. Not even close. But secure versions of all those networked piece-parts have been demonstrated before. This is not research. It is "Development," the forgotten step in the life-cycle.

Last year, I proposed an internal R&D project to build reference implementations of these building blocks, one version on each of the available high-security systems. Unfortunately, R&D programs have turned into "R" programs. My proposal lost points because it wasn't new research. It was also claimed that commercial vendors and integrators had this issue well in hand - contrary to what vendors told me as I prepared my proposal.

I believe my proposal was a good one, but too expensive for me to fund on my retirement savings. I hope someone else will take it up. I'd even spend some time over lunch to help lay out the program. Anyone?
US VISIT — One Site
- Multilevel platform or multiple single-level platforms
- Multilevel DBMS or multiple single-level DBMS
- Multilevel file store or multiple single-level file stores
- But ...
- There must be a multilevel component
© David Elliott Bell • 2009, 2010

Commentary
Before

© David Elliott Bell • 2009, 2010
Commentary

Work before the Bell-La Padula model gave it context. Here is a castle, an over-used analogy for strong systems. Existing systems, developed in response to "market forces," were tested by specially-chartered "Tiger Teams" and found wanting. The teams found flaws that allowed entry to the systems. More alarmingly, design flaws found in System A were often found in System B. Experienced Tiger Teams could reuse previous successful attacks with high probability of success.

Tiger Teams also illustrated that a successful penetration cast a long shadow. Simplest was inserting an unknown "backdoor," analogous to the secret entries of actual castles. (More about this on the next slide.) More serious is the possibility of tunneling under the walls, "undermining" them. This was an attack beneath the security features (the walls, in the castle analogy). In computer systems, one can ignore the security features if one can successfully attack the core of the operating system (or executive). Such an attack on the foundation makes the security features irrelevant. This kind of attack in the form of subversion requires the highest level of security to assure a solid foundation.

After the Tiger Team exercises, the demonstrated lessons were (a) that market forces had not produced strong, secure systems; (b) security has to be built in, not added on later (to prevent undermining attacks); and (c) there has to be a blueprint for building a really secure system - a "conceptual design" of a secure system. That conceptual design was the task assigned to Len La Padula and me.
- Market forces inadequate
- Need built-in security
- Backdoors show we need life-cycle CM
- Undermining shows we need strength down to bedrock
Backdoor

© David Elliott Bell • 2009, 2010

Commentary

The planted backdoor shown was identified by Roger Schell and Paul Karger and was implemented and popularized by Ken Thompson. The initial step is to create an altered version of login that by-passes the identification and authentication step. The compiled version replaces the legitimate version, with the altered source code also removed. The source code doesn't match the running object code, but the object code will admit anyone that provides the backdoor key, say "Joshua."

Of course, recompilation of the legitimate login source code will wipe out the backdoor. So step 2 is to produce an altered version of cc that re-inserts the login backdoor whenever login itself is re-compiled. Step 2 also protects the bad cc by reinserting all the cc alterations any time cc is re-compiled.

With a self-protecting backdoor with an obscure key (like the Easter Eggs in commercial products), the situation is lost, barring hand-compilation or recompilation of the compiler without use of the bad cc. To protect against the insertion of bad logic, tight configuration control is required, throughout the software's entire life time.
Subversion: Two-Card Loader

© David Elliott Bell • 2009, 2010

Commentary

In the old days, getting a program into a computer for execution was done using a program called the loader. Hardware was included in the computer that would read in the full-service loader (on punched cards), then transfer execution to the program then loaded. It was not practical to put an entire loader onto one punched card, so the loaders ended up being "two-card loaders." After the two cards were loaded, any program could be loaded and executed.

Consider hidden code in an operating system that constitutes a full-service loader, the 21^st-Century version of the two-card loader. With such an artifact, a honed, pointed, polished attack could be run on the subverted system at any time in the future. Example 2CL subversions have been demonstrated whose "toehold" requires only six lines of code.

A 2CL subversion of a commercial operating system could tunnel under the system's "walls" and make all the advertized security features moot. Systems developed in response to market forces (B1 and C2) cannot be proof against such insertions and are indefensible in the most critical parts of our networks, the thin lines connecting our mostly-isolated networks.
Previous Thoughts on "Separation Kernel"

Bell, "Looking Back: Addendum," 2006

A fourth initiative would be to establish a consensus concerning the separation kernel, or partitioning kernel, or "Multiple Independent Levels of Security" (MILS). Advocates should gather or produce publication-quality materials covering relevant technical topics such as definitions, descriptions, and rationale. Critics and advocates should then debate the issues publicly. After this trial by fire, either the concept will be tested and stronger or its flaws will be clear. In the interim, efforts to further proselytize or to finalize protection profiles should be put on hold.

Suggestion declined.

© David Elliott Bell • 2009, 2010

Commentary
Parody

Everything I Needed to Know, I Learned in Kindergarten
Share everything.
Play fair.
Don't hit people.
Put things back where you found them.
Clean up your own mess.
Don't take things that aren't yours.
Say you're sorry when you hurt somebody.
Wash your hands before you eat.
Flush.

Warm cookies and cold milk are good for you.
Live a balanced life -
learn some and think some and draw some
and paint and sing and dance and play
and work every day some.
Take a nap every afternoon.

When you go out into the world,
watch out for traffic,
hold hands, and stick together.
Be aware of wonder.

Remember the little seed in the Styrofoam cup:
The roots go down and the plant goes up
and nobody really knows how or why,
but we are all like that.

Goldfish and hamsters and white mice
and even the little seed in the Styrofoam cup
- they all die.
So do we.

And then remember the Dick-and-Jane books
and the first word you learned
- the biggest word of all - LOOK.

Everything I Need to Know about Computer Security, I Learned in 1974
Share everything permitted by the ACL.
Not everyone plays fair.
Protect folks from being hit.
Structure systems so you know where things belong --
Messy systems are a hazard.
Prevent scofflaws from taking other people's things.
Say you're sorry when you hurt somebody,
but don't count on the kindness of strangers.
Keep the golden copy clean.
Sync, sync, reboot.

Warm cookies and cold milk are good for you.
So are data hiding and abstraction.
Live a whole life --
learn some and think some and design some
and paintball and RockBand and Wii and play
and work every day some.
Take a nap every afternoon,
Unless there's a red alert.

When you go out into the Internet's world,
watch out for bad traffic,
mutually authenticate, and stick together.
Be aware of the wondrous.

Remember the node in the network cloud:
the datagrams come in and the logic spits out
And nobody really can understand the whole from the parts
Any more than we can know each other completely.

Buzz words and grand plans and trends
and even good Criteria from C11
- they all die.
So do we.

And then remember the Multics papers
and the first concept you learned
- the biggest concept of all - PROTECTION.

© David Elliott Bell • 2009, 2010

Commentary